ecobee3 lite Unencrypted Data Storage

Unranked
Advisory IDL9-15-159PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryUnencrypted Data StorageVendorecobeeProductecobee3 liteVersion4.5.81.200

Risk Summary

The ecobee3 lite device does not use encryption on the NAND flash storage. The device firmware as well as user information is stored on the flash chip. A threat actor with physical access to the ecobee3 lite device can extract sensitive data from the flash storage by removing the NAND flash chip and connecting directly to the flash chip using the parallel flash reader.

With a copy of the device firmware, a threat actor can perform offline analysis to identify vulnerabilities in the device, including recovering the root password.

Technical Details

The research team demonstrated that device storage was unencrypted by desoldering and connecting directly to the NAND chip using an parallel flash reader.

ecobee3 lite hardware

ecobee3 lite hardware

Reballing flash

Reballing flash

The assessment team was able to recover the content of the device. Using the recovered information the assessment team was able to extract root passwords/pins used to access the serial console on the device.

Root password extraction

Root password extraction