Researcher discovers security flaw in Netatmo weather station

5 Comments

Credit:

Updated: This story was updated on Feb. 17 to note that as of Feb. 15 Netatmo had updated its process to fix this security flaw.

The Netatmo weather station, a popular and beautiful connected weather station, apparently sends your Wi-Fi password as well as other device and network information over the internet in an unencrypted format. Johannes Ullrich, CTO at the SANS Internet Storm Center in Jacksonville, Florida, posted a blog on Thursday documenting the device’s lack of security. He was pretty mild-mannered about the lapse, pointing out that the transmission of his credentials only happened at the setup and wasn’t replicated when he restarted the device again, explaining:

Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network. [/blockquote]

After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks. I also reached out to [company]Netatmo[/company] to understand the issue and why it chose to do this.

And while I doubt that most people should worry that some nefarious actor is outside their home with a Wi-Fi sniffer at the exact moment they are initially setting up their Netatmo weather station for the first time, this does drive home two issues I’ve covered this week that are linked: we don’t have a set of best practices for security when it comes to connected devices, and how many connected devices for the consumer market are hitting shelves before they are really ready for the mainstream. This means these devices are missing features, maybe a bit buggy or just not security hardened.

My bet is that when device makers send out these “beta” pieces of hardware home with normal consumers trusting that a few software updates will fix any problems down the road, they will ultimately alienate the customer and even turn them off from the smart home. After all, when a consumer reads about how her home Wi-Fi network may have been compromised, even if it were only for an instant because of some issue that will get a fix “in a few weeks,” that doesn’t exactly inspire confidence.

5 Comments

OhPlease

What they’re not saying is that they’ve deleted this ‘debug’ information for their servers. What jerks.

Doc

I think your comment about a “best practices” for IoT security is spot-on.

Many of these devices seem to be developed by people who just don’t know better.

A cookbook approach would help a lot.

Henning

Beta? Bug? What kind of an attitude concerning the data on my own device is this when it is dumped for whatever purposes without further notice? And you should be aware that this device listens into your living/dining/bed room. They say that the data is aggregated over 5 minutes and only a level of sound is recorded. But hey, maybe a small bug…

My NETATMO device has gone offline this very minute.

Rosenblatt

Feb 12 : Netatmo weather stations no longer send debug information at installation time. Thanks for reporting this.

Comments are closed.