ecobee3 lite Shell from Serial Debug Port
The ecobee3 Lite hardware board contains a Universal Asynchronous Receiver/Transmitter (UART) interface on the application board that allows a threat actor to access a password protected interactive shell. The password for the shell can be recovered through firmware reverse engineering, allowing a threat actor to gain underlying operating system access to the device.
The ecobee3 Lite device has the UART interface obscured on the PCB board. The research team connected to the serial/UART interface on the device using a USB to serial adapter.
Connecting to the UART interface
The team was able to intercept autoboot using the discovered root password and subsequently gain console access to the full device.