ecobee3 lite Heap Overflow
A heap overflow vulnerability exists in the 'HKProcessConfig' function that overflows inside the HKWAC object. This object is responsible for managing the Homekit Wireless Access Control setup process. A threat actor can craft a malicious payload to control values inside the object causing the ecobee3 device to connect to a separate WiFi access point.
Given the nature of memory attacks, it may be possible to extend this attack further to achieve code execution.
The Wireless Access Configuration (WAC) server is present on the ecobee3 device on TCP port 1200. Usually this function is employed when connecting the device to a WiFi access point during initial setup via an iOS device. However, this service remains present after the device has been connected to a wireless network leaving it vulnerable to attack.
A threat actor can send a POST request to the endpoint ‘http://<thermostat_ip>:1200/config’ with a request body that is greater than 512 bytes, resulting in an overflow of the HKWAC object. The HKWAC object is provisioned with 604 bytes, therefore any requests larger than 604 bytes results in the next object on the heap being corrupted, which could be a path to achieve code execution.
Vulnerable HKWAC object
HKWAC object as initially provisioned
However, a threat actor can send a payload greater than 512 bytes but less than 604 to control specific elements of the HKWAC object including flags which are used to validate whether previous steps of the WAC process have been complete, such as if the ecobee3 is in 'Access Point' (AP) mode. By exploiting the structure, a threat actor can 'trick' the ecobee3 into accepting a new WiFi access configuration resulting in the device disconnecting from the current access point and connecting to a threat actor controlled access point.
Flags checked in HKWAC object
Byte 592 calls HKWifiConnectSetup function
As an example, the device was connected to the SSID 'TheFlooNetwork' using the typical setup procedures. The research team then sent a crafted payload which overflowed the HKWAC object and caused the device to connect to the SSID 'hackpi'. The payload did not require authentication, and could potentially be used in cross-site request forgery (CSRF) attacks.
ecobee3 lite connected to "TheFlooNetwork"
Payload sent to device causing it to change WiFi access points
Serial output shows device chaning to "hackpi" WiFi access point
Request sent on new access point to "/configured" to compelte the setup
Serial output shows the device completing the setup process