Risk Summary
A threat actor sharing the same network as the Ecobee3 can craft a malicious HTTP request which will cause the device to crash and reboot.
Remote Denial of Service of ecobee3 lite – Level Nine Group
Unranked
Advisory ID:
L9-15-163
First Published:
June, 28th, 2021
Last Updated:
January, 22nd, 2024
Version:
4.5.81.200
Category:
Null Dereference
Vendor:
ecobee
Product:
ecobee3 lite
Technical Details
The Wireless Access Configuration (WAC) server used to connect the ecobee3 device to the WiFi networking using an Apple device crashes when a specially crafted web request is received.
POST request
A threat actor can send a POST request to the endpoint http://
:1200/config and omit the ‘Content-Type’ header which causes the ‘HKProcessConfig==>memcpy’ function to read from the address space 0x00000000 causing the main application (idtm) to crash. Once a crash has occurred the ‘watchdog’ will cause the device to reset.
Normal operations
Crash dump
Device crash
