As a leader of critical infrastructure cybersecurity research, ICIT has warned about supply chain security concerns in the past and we have supported initiatives and frameworks like Deliver Uncompromised. This publication will serve as the first in an on-going series focused on supply chain security. Subsequent publications will vary in content from high-level thought leadership to technical analysis.

This ICIT publication will discuss the risk posed to devices that rely on the ESP8266 or ESP32 Wi-Fi and Bluetooth low-energy (BLE) integrated circuits (ICs) and modules developed by the Shanghai-based Espressif Systems. Impacted devices include IoT thermostats, smart lightbulbs, smart outlets and switches, smart wearables, sensing devices, HVAC systems, home access control systems, telehealth and medical devices, and industrial controls. These chipsets can be found in consumer devices and critical infrastructure systems alike and the associated risks and potential threats permeate across all sectors. This proof-of-concept case study is constructed to highlight the potential risks pertaining to a single subset of devices, the Espressif ESP8266 and ESP32; however, the methodology and conclusions can be applied to many ICs and subcomponents from many manufacturers. This information is presented to inspire stakeholders to critically examine the security practices of all OEMs in their supply chain and to question anything that seems suspicious.

The Publication Describes:

  • Whether the ESP8266 and ESP32 Devices Present a Security Risk
  • A Model Attack Scenario
    • Targeting Specific Devices
    • Attack Obfuscation
    • Device Synchronization
    • Attack Potential
  • Demonstration of Attack Feasibility

Read the Full Study

The Perfect Weapon, Hidden in Plain Sight: A Study on How the Espressif Wi-Fi and BLE Chips and Modules can be Weaponized for Espionage, Disruption, and Destruction