ecobee3 lite Shell from Serial Debug Port

Unranked
Advisory IDL9-15-158PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryUnprotected Debug PortsVendorecobeeProductecobee3 LiteVersion4.5.81.200

Risk Summary

The ecobee3 Lite hardware board contains a Universal Asynchronous Receiver/Transmitter (UART) interface on the application board that allows a threat actor to access a password protected interactive shell. The password for the shell can be recovered through firmware reverse engineering, allowing a threat actor to gain underlying operating system access to the device.

Technical Details

The ecobee3 Lite device has the UART interface obscured on the PCB board. The research team connected to the serial/UART interface on the device using a USB to serial adapter.

Connecting to the UART interface

Connecting to the UART interface

The team was able to intercept autoboot using the discovered root password and subsequently gain console access to the full device.

Debug password

Debug password

Root access

Root access