ESPCanary Detects If a Hacker Is Spying on Your Network

Reddit user mudmin has created an Arduino library that transforms an ESP8266 or ESP32 into an FTP server to detect if a hacker is spying on your network. Using it is very simple. Create a web bug/URL token and paste it into the sketch as the canary variable. mudmin’s ESPCanary project is available on GitHub.

Advanced tracking can also be utilized. All you need to do is use the other canary tokens, upload them to the SPIFFS of the ESP board. From there, the hacker can download and trigger the tokens.

Even though it looks as if anyone can upload and rename files on the FTP server, it’s simply not the case. Those modifications are flushed away when the files are reloaded. They aren’t actually on the ESP in the first place.

When configuring the FTP server, you can specify a username and/or password that connects to the server. Connecting to the ESP over FTP is pretty straightforward. Get the IP from the serial monitor and connect with the username and password with port 21. Allowing insecure connections can be enabled by ticking a box as well.

The ESPcanary is prompted when a hacker connects to the FTP server and sends an email that warns you they’re spying on your network. The email contains the source IP, which is the FTP server’s IP. It also shows user-agent, the IP address of the hacker connecting to the server.

You can even specify any webhook URL if you don’t want to use canarytokens.org. This lets you append the hacker’s IP to the query string as an additional parameter.