Umberto Barbato

Name of the Vulnerable Software and Affected Versions: eWeLink mobile application versions 4.9.2 and earlier on Android eWeLink mobile application versions 4.9.1 and earlier on iOS Description: The issue allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process, due to unconstrained Web access to the device's private encryption key in the QR code pairing mode. Recommendations: For eWeLink mobile application versions 4.9.2 and earlier on Android, update to a version later than 4.9.2 to resolve the issue. For eWeLink mobile application versions 4.9.1 and earlier on iOS, update to a version later than 4.9.1 to resolve the issue. As a temporary workaround, consider restricting the use of the QR code pairing mode until a patch is available.