CVE-2019-15745

Name of the Vulnerable Software and Affected Versions Eques elf smart plug (affected versions not specified)

Description The issue concerns the use of a hardcoded AES 256 bit key for encrypting commands and responses between the Eques elf smart plug device and its mobile app. Communication occurs over UDP port 27431. An attacker on the local network can exploit this by using the same key to send encrypted commands, potentially allowing them to discover all smart plugs on the network, gain control of a device, and perform actions like turning it on and off.

Recommendations For the Eques elf smart plug, consider restricting access to UDP port 27431 to minimize the risk of exploitation. As a temporary workaround, limit the discovery and control features of the smart plug until a patch or secure key management system is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.