ecobee3 lite Shell from Serial Debug Port – Level Nine Group

Unranked

Advisory ID:

L9-15-158

First Published:

June, 28th, 2021

Last Updated:

January, 22nd, 2024

Version:

4.5.81.200

Category:

Unprotected Debug Ports

Vendor:

ecobee

Product:

ecobee3 lite

Risk Summary

The ecobee3 Lite hardware board contains a Universal Asynchronous Receiver/Transmitter (UART) interface on the application board that allows a threat actor to access a password protected interactive shell. The password for the shell can be recovered through firmware reverse engineering, allowing a threat actor to gain underlying operating system access to the device.

Technical Details

The ecobee3 Lite device has the UART interface obscured on the PCB board. The research team connected to the serial/UART interface on the device using a USB to serial adapter.

Connecting to the UART interface

The team was able to intercept autoboot using the discovered root password and subsequently gain console access to the full device.

ecobee3 lite Shell from Serial Debug Port – Level Nine Group

Risk Summary

Technical Details

Connecting to the UART interface

Debug password

Root access