@ray please have a look at the Wifi vulnerabilities recently discovered: https://www.fragattacks.com/
How deep should we be concerned?
Eg. I’m specifically thinking of this:
How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. This means the attacker doesn’t have to do anything special! Two of out of four tested home routers were affected by this vulnerability, several internet-of-things devices were affected, and some smartphones were affected.
Since opensprinkler accepts http commands in plain, it could be possible to send unencrypted wifi frames to the unit, which could be misinterpreted.
Afaik Espressif released an update to ESP-IDF which includes patches for the FragAttacks CVEs. See their Security Advisory.
The fixes have been added to ESP-IDF versions:
Master (ef127ab9 )
Release v4.3.1 (46144f70 )
Release v4.2.2 (60ccb3fe )
Release v4.1.2 (97c8be71 )
Release v4.0.4 (7504329e )
Release v3.3.6 (b403b0db )
Can you please have a look at the prebuilt binaries, would it be possible to release new ones based on the fixed core?