Chapter 4. API Guides
4.34.1 ESP32-S2 Wi-Fi Security Features
• Support for Protected Management Frames (PMF)
• Support for WPA3-Personal
In addition to traditional security methods (WEP/WPA-TKIP/WPA2-CCMP), ESP32-S2 Wi-Fi supports state-of-
the-art security protocols, namely Protected Management Frames based on 802.11w standard and Wi-Fi Protected
Access 3 (WPA3-Personal). Together, PMF and WPA3 provide better privacy and robustness against known attacks
on traditional modes.
4.34.2 Protected Management Frames (PMF)
Introduction
In Wi-Fi, management frames such as beacons, probes, (de)authentication, (dis)association are used by non-AP
stations to scan and connect to an AP. Unlike data frames, these frames are sent unencrypted. An attacker can
use eavesdropping and packet injection to send spoofed (de)authentication/(dis)association frames at the right time,
leading to the following attacks in case of unprotected management frame exchanges.
• DOS attack on one or all clients in the range of the attacker.
• Tearing down existing association on AP side by sending association request.
• Forcing a client to perform 4-way handshake again in case PSK is compromised in order to get PTK.
• Getting SSID of hidden network from association request.
• Launching man-in-the-middle attack by forcing clients to deauth from legitimate AP and associating to a rogue
one.
PMF provides protection against these attacks by encrypting unicast management frames and providing integrity
checks for broadcast management frames. These include deauthentication, disassociation and robust management
frames. It also provides Secure Association (SA) teardown mechanism to prevent spoofed association/authentication
frames from disconnecting already connected clients.
API & Usage
esp_wifi_set_config() can be used to configure PMF mode by setting appropriate flags in pmf_cfg param-
eter. Currently, PMF is supported only in Station mode. While setting up a Station, configure PMF using two flags
capable and required like below.
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
.password = EXAMPLE_WIFI_PASSWORD,
.pmf_cfg = {
.capable = true,
.required = false
}
}
};
ESP32-S2 supports three modes of PMF by combination of these two flags -
• PMF Optional : .capable = true, .required = false
• PMF Required : .capable = true, .required = true
• PMF Disabled : .capable = false, .required = false
Depending on what AP side PMF Mode is, the resulting connnection will behave differently. The table below
summarises all possible outcomes -
Espressif Systems 1560
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General