ecobee3 lite Shell from Serial Debug Port – Level Nine Group
Unranked
Advisory ID:
L9-15-158
First Published:
June, 28th, 2021
Last Updated:
January, 22nd, 2024
Version:
4.5.81.200
Category:
Unprotected Debug Ports
Vendor:
ecobee
Product:
ecobee3 lite
Risk Summary
The ecobee3 Lite hardware board contains a Universal Asynchronous Receiver/Transmitter (UART) interface on the application board that allows a threat actor to access a password protected interactive shell. The password for the shell can be recovered through firmware reverse engineering, allowing a threat actor to gain underlying operating system access to the device.
Technical Details
The ecobee3 Lite device has the UART interface obscured on the PCB board. The research team connected to the serial/UART interface on the device using a USB to serial adapter.
Connecting to the UART interface
The team was able to intercept autoboot using the discovered root password and subsequently gain console access to the full device.