A WiFi hotspot with a known password is always availiable on unconfigured units

Aleph Research Advisory

Identifier

CVE-2023-24502

Severity

High

Product

Electra Central AC

Vulnerable Versions

Electra Central AC Smart WiFi Controller v4
Electra Central AC Smart WiFi Controller v5
Electra Central AC Smart WiFi Controller v7
Electra Central AC Smart WiFi Controller v8

Technical Details

Before the unit is configured and connected to the cloud, it automatically opens a WiFi hotspot. The password to the hotspot is always the name of the hotspot (with the characters SSID replaced with PASS).

Thus, an attacker can always connect to an unconfigured unit within the WiFi range (can be done outside the building), and leverage that connection to exploit additional vulnerabilities.

Timeline

12-Mar-23
: Public disclosure.
12-Mar-23
: CVE-2023-24502 assigned.
30-Oct-22
: Reported.

Posts

Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit
By Lev Aronsky & Idan Strovinsky,
19-Jun 2023

Credit

Lev Aronsky (@levaronsky) of Aleph Research, HCL Technologies
Idan Strovinsky of Aleph Research, HCL Technologies