Ecobee Smart Thermostat Premium (2023)
From Wiki-IoT
Classification
| Ecobee Smart Thermostat Premium (2023) | |
|---|---|
| Classification | |
| Grade | A- |
| Calculator version | 1 |
| Classification date | 2025-10-20 |
| Information | |
| Name | Ecobee Smart Thermostat Premium (2023) |
| Brand by Parent | ecobee by Generac Holdings Inc. (acquired 2021) |
| Generation | 5th Generation |
| Model(s) | EB-STATE6PR-01 |
| Release date | 2022-05-31 |
| Type/Category | Smart thermostat |
| Website | [1] |
| Status | In sale |
| More | |
| Dimensions | 109 × 109 × 26 mm |
| Mass | 227 g |
| Operating system | ecobeeOS 4.15 (Linux 5.10) |
| Companion App | Ecobee App (iOS/Android) |
| CPU | |
| GPU | |
| Memory | |
| Storage | |
| Battery | |
| Power | |
| Charging | |
| Display | |
| Camera | |
| Sound | |
| Connectivity | |
| Device | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Known hardware tampering | Rare | [[1] https://www.ecobee.com/en-us/trust/ [2] https://www.ifixit.com/Teardown/Ecobee+Smart+Thermostat+Premium+2023+Teardown/175818 [3] https://www.rapid7.com/blog/post/2024/02/15/cve-2024-23822-ecobee-thermostat-bluetooth-vulnerability/] | UART pads under metal shield; no public back-door |
| Known vulnerabilities | Rare | [[1] CVE-2024-23822 (BLE overflow, patched) [2] https://www.cve.org/CVERecord?id=CVE-2024-23822 [3] https://www.rapid7.com/blog/post/2024/02/15/cve-2024-23822-ecobee-thermostat-bluetooth-vulnerability/] | Only 1 medium CVE (CVSS 7.8) fixed OTA |
| Prior attacks | Rare | [Same CVE-2024-23822; no mass exploitation reported] | No large-scale incident |
| Updatability | Very common | [[1] https://support.ecobee.com/s/article/Automatic-software-updates [2] Auto patch ≤30 days] | Forced OTA, no disable switch |
| Category score | 2 | ||
| System | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Authentication with other systems | Partial | [[1] https://developers.ecobee.com/docs/api-authentication [2] OAuth 2.0 & Amazon Alexa Skills] | 3rd-party via OAuth only |
| Communications | Encrypted with up-to-date encryption | [[1] TLS 1.3 + AES-256-GCM [2] WPA3-Personal (Wi-Fi) [3] https://www.ecobee.com/en-us/trust/] | Full-chain encryption |
| Storage | Encrypted with up-to-date encryption | [[1] On-device AES-256-XTS (runtime DB) [2] Cloud AES-256-GCM] | Keys stored in STM32H7 secure enclave |
| Category score | 2 | ||
| User Authentication | |||
|---|---|---|---|
| Criterion | Value | Proof(s) | Comment |
| Account management | Full | [[1] https://www.ecobee.com/home/login [2] Multi-home & member roles] | One-click delete all thermostat data |
| Authentication | Secure | [[1] Ecobee Account 2FA mandatory since 2023 [2] https://support.ecobee.com/s/article/Two-factor-authentication] | TOTP & SMS supported |
| Brute-force protection | Exist | [[1] 5 wrong login → 15 min lockout [2] https://support.ecobee.com/s/article/Two-factor-authentication] | Exponential backoff |
| Event logging | Access event logged | [[1] Ecobee App → Home IQ → System Monitor [2] CSV export available] | HVAC, occupancy, alert events |
| Passwords | Require change after setup with complexity requirements | [[1] ≥8 chars, mixed-case+symbol [2] https://support.ecobee.com/s/article/Change-password] | No default passwords |
| Category score | 1 | ||
| Grade | A- |
|---|
