Updated: This story was updated on Feb. 17 to note that as of Feb. 15 Netatmo had updated its process to fix this security flaw.
The Netatmo weather station, a popular and beautiful connected weather station, apparently sends your Wi-Fi password as well as other device and network information over the internet in an unencrypted format. Johannes Ullrich, CTO at the SANS Internet Storm Center in Jacksonville, Florida, posted a blog on Thursday documenting the device’s lack of security. He was pretty mild-mannered about the lapse, pointing out that the transmission of his credentials only happened at the setup and wasn’t replicated when he restarted the device again, explaining:
[blockquote person=”” attribution=””]So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to “the cloud”, along with some other data. The data include the weather stations MAC address, the SSID of the WiFi network, and some hex encoded snippets.
Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network. [/blockquote]
After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks. I also reached out to [company]Netatmo[/company] to understand the issue and why it chose to do this.
And while I doubt that most people should worry that some nefarious actor is outside their home with a Wi-Fi sniffer at the exact moment they are initially setting up their Netatmo weather station for the first time, this does drive home two issues I’ve covered this week that are linked: we don’t have a set of best practices for security when it comes to connected devices, and how many connected devices for the consumer market are hitting shelves before they are really ready for the mainstream. This means these devices are missing features, maybe a bit buggy or just not security hardened.
My bet is that when device makers send out these “beta” pieces of hardware home with normal consumers trusting that a few software updates will fix any problems down the road, they will ultimately alienate the customer and even turn them off from the smart home. After all, when a consumer reads about how her home Wi-Fi network may have been compromised, even if it were only for an instant because of some issue that will get a fix “in a few weeks,” that doesn’t exactly inspire confidence.