Remote Denial of Service of ecobee3 lite

Unranked
Advisory IDL9-15-163PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryNull DereferenceVendorecobeeProductecobee3 liteVersion4.5.81.200

Risk Summary

A threat actor sharing the same network as the Ecobee3 can craft a malicious HTTP request which will cause the device to crash and reboot.

Technical Details

The Wireless Access Configuration (WAC) server used to connect the ecobee3 device to the WiFi networking using an Apple device crashes when a specially crafted web request is received.

POST request

POST request

A threat actor can send a POST request to the endpoint http://<thermostat_ip>:1200/config and omit the 'Content-Type' header which causes the 'HKProcessConfig==>memcpy' function to read from the address space 0x00000000 causing the main application (idtm) to crash. Once a crash has occurred the 'watchdog' will cause the device to reset.

Normal operations

Normal operations

Crash dump

Crash dump

Device crash

Device crash