CVE-2018-6402

Name of the Vulnerable Software and Affected Versions Ecobee Ecobee4 version 4.2.0.171

Description The issue allows an attacker to force the device to deauthenticate and connect to an unencrypted Wi-Fi network with the same SSID, even if the device settings specify the use of encryption such as WPA2, as long as the competing network has a stronger signal. This is similar to an "Evil Twin" attack, where the attacker sets up a nearby SSID.

Recommendations For Ecobee Ecobee4 version 4.2.0.171, consider disabling the Wi-Fi connection until a patch is available, and restrict access to the device to minimize the risk of exploitation. As a temporary workaround, avoid using unencrypted Wi-Fi networks and ensure that the device is connected to a secure network with a strong signal. At the moment, there is no information about a newer version that contains a fix for this vulnerability.