Hard-coded Default Root Credentials for All ecobee3 lite Devices

Unranked
Advisory IDL9-15-160PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryGlobal Default CredentialsVendorecobeeProductecobee3 liteVersion4.5.81.200

Risk Summary

Hard-coded default root credentials exist across all devices, potentially allowing a threat actor to gain privileged access to the ecobee3 lite device. The root passwords reserved for admin users can be discovered through analysis of the compiled firmware via reverse engineering. The password is stored in a hash format but lacks complexity and can be easily brute-forced. Using the cracked password a threat actor can gain access to the serial console on the device. The threat actor could use this privilege to extract sensitive information or modify the device.

Technical Details

The research team extracted the root credentials by extracting the contents of the NAND flash. The credentials were cracked using brute force techniques. The credentials were used to gain access to the password protected serial console.

Credential firmware dump

Credential firmware dump

Cracked passwords

Cracked passwords

Root access

Root access

Debug port password

Debug port password