<--

Attacker within IR range can install arbitrary firmware over the air

Aleph Research Advisory

Identifier

Severity

High

Product

Electra Smart Kit for Split AC

Vulnerable Version

Electra Smart Kit for Split AC

Technical Details

An attacker located within the IR range of an AC unit utilizing the Electra Smart Kit can communicate with the unit and cause the unit to connect to a malicious WiFi.

The WiFi can be used to direct the unit to a malicous update server. The malicious update server can be used to return arbitrary firmware that will be flashed onto the device.

Timeline

  • 12-Mar-23
    : Public disclosure.
  • 12-Mar-23
    : CVE-2023-24503 assigned.
  • 30-Oct-22
    : Reported.

Posts

Credit