Attacker within WiFi range can install arbitrary firmware over the air on unconfigured units

Aleph Research Advisory

Identifier

CVE-2023-24500

Severity

High

Product

Electra Central AC

Vulnerable Versions

Electra Central AC Smart WiFi Controller v7
Electra Central AC Smart WiFi Controller v8

Technical Details

An attacker located within the WiFi range of an unconfigured (i.e., not connected to the cloud) unit can communicate with the unit and cause the unit to connect to a malicious WiFi, that will redirect the unit to a malicous update server upon boot.

The malicious update server can be used to return arbitrary firmware that will be flashed onto the device.

Timeline

12-Mar-23
: Public disclosure.
12-Mar-23
: CVE-2023-24500 assigned.
30-Oct-22
: Reported.

Posts

Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit
By Lev Aronsky & Idan Strovinsky,
19-Jun 2023

Credit

Lev Aronsky (@levaronsky) of Aleph Research, HCL Technologies
Idan Strovinsky of Aleph Research, HCL Technologies