Implement ESP8266WiFiClass::encryptionType()

[chaeplin]

I read http://mobile.slashdot.org/story/15/10/20/1618209/tattling-kettles-help-researchers-crack-wifi-networks-in-london https://www.pentestpartners.com/blog/hacking-kettles-extracting-plain-text-wpa-psks-yes-really/
....
The brief version:
De-auth kettle from its usual access point. Use aireplay-ng
Create fake AP with same SSID
Kettle joins
Connect to telnet service, authenticate using default PIN of ‘000000’
Enter ‘AT-KEY’
Plaintext WPA PSK is then disclosed
Yes, it’s that easy
....

So, I changed my AP's setting from WPA2/AES to OPEN(security disabled) with same SSID.
Then my esp8266 connected to the AP without problem.
(configured with WiFi.begin(ssid, password);)

How to get the encryption type of the current connected network ?

Ref: https://www.arduino.cc/en/Reference/WiFiEncryptionType

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[drmpf]

So you are saying that, ESP has the same or similar, problem.
That is even if you set up a secure ssid, password on your ESP, it will still connect to an insecure (OPEN) network with the same ssid.
However in the ESP case there is no 'display password' command built in, so not as bad as the kettle, but still not good as you can get access to the ESP device and send it commands.

p.s. When using my Android app, pfodApp, to control WiFi devices, like the ESP, I recommend using the 128bit security option, which adds a secure hash to each msg in both directions to provide end to end security. Commands are still in plain text but without the correct hash they will not be acted on.

[tim-in-oakton]

@drmpf - that approach is still subject to a replay attack, so ensuring idempotent commands would be recommended.

[drmpf]

@tim-in-oakton Yes ESP could be controlled from the open network so still not good.

My approach (http://www.forward.com.au/pfod/secureChallengeResponse/index.html)
protects against replay attack by adding a hidden message seq no to each msg which is included in the hash. The message hashes are calculated initializing SipHash with the “secret key” and then adding the challenge to the hash and then adding the message count in bigEndian format, starting from zero and finally adding the message.
The challenge is different for each and every connection so you cannot replay the whole connection either.

[igrr]

It appears that there is no SDK API to get the encryption mode of the current connection. Perhaps this needs to be raised to Espressif.

[tablatronix]

I don't know of this has changed yet, you could scanNetworks, store BSSIDs and encryptiontypes from the scan, then recheck a connected BSSID against it.. Of course if BSSID is spoofed... shrug