Credentials for connecting to the MQTT server hardcoded inside the firmware

Aleph Research Advisory

Identifier

CVE-2023-24501

Severity

Critical

Product

Electra Central AC

Vulnerable Versions

Electra Central AC Smart WiFi Controller v4
Electra Central AC Smart WiFi Controller v5

Technical Details

The connection to the MQTT server used to control the AC over the Internet uses a password that is hardcoded into the firmware (i.e., it’s shared between all the units and can be easily obtained).

On top of that, the firmware on these versions (v4/v5) of the units is not updateable, so changing the password on the server without breaking functionality is not possible.

Timeline

12-Mar-23
: Public disclosure.
12-Mar-23
: CVE-2023-24501 assigned.
30-Oct-22
: Reported.

Posts

Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit
By Lev Aronsky & Idan Strovinsky,
19-Jun 2023

Credit

Lev Aronsky (@levaronsky) of Aleph Research, HCL Technologies
Idan Strovinsky of Aleph Research, HCL Technologies