Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netatmo Weather Station Sends WPA Passwords In the Clear

Posted by samzenpus on from the out-in-the-open dept.

UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear. From the article: "After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks."

37 comments

  1. Ahh, the internet of things... by fuzzyfuzzyfungus · · Score: 4, Interesting

    Why would they shut it down? Clearly this 'feature' is just there to help more things connect themselves to the IoT without inconveniencing the consumer by bothering them for a password!

    1. Re:Ahh, the internet of things... by Richard_at_work · · Score: 3, Informative

      What does this have to do with a newfangled marketing term? We've seen routers, access points and all manner of devices do this sort of thing since the 1990s - data leakage, deliberate or otherwise, its not a new thing.

    2. Re:Ahh, the internet of things... by fuzzyfuzzyfungus · · Score: 4, Insightful

      There is no direct causal connection, as you say, embedded security has been pretty much crap for ages, particularly in the cheap seats; but it is the case that 'IoT' manages to combine a disturbing enthusiasm for giving anything and everything firmware and an IP address with a security record at least as slapdash and atrocious, if not more, as other low-end embedded vendors, which makes them a particularly messy case.

    3. Re:Ahh, the internet of things... by AmiMoJo · · Score: 3, Insightful

      Sometimes I think the situation is hopeless. Consumers want the lowest possible price and see many items as commodities. Security is expensive.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Ahh, the internet of things... by CaptainDork · · Score: 2

      This.

      While I don't give a shit if someone can read, in clear text, what the temperature is, or if they can even see the authentication, of a weather station, because it's a low-security device, the larger question is, "What is the threshold that separates innocuous devices from more serious devices?"

      The "no security" feature of these IoT is a culture that can creep into the design of more important web-enabled devices.

      It's a bad habit.

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:Ahh, the internet of things... by gstoddart · · Score: 2

      Honestly, this is just the on-going demonstration of the fact that most network-enabled consumer products are garbage, written by incompetent and lazy idiots, who neither know nor care about your security or privacy, and pushed out the door by greedy bastards.

      Until there are real penalties for doing crap like this ... I just assume that all things which want to connect to the internet will probably be insecure and dangerous, and therefore won't trust them.

      It's pretty much happening so often that it's a safer starting point ... assume it was rushed out the door, and nobody gave a shit about security. Because evidence shows that's precisely what happens.

      If you can't kick the devs and the marketing weenies in the nuts when their product is proven to be crap ... just don't buy it in the first place.

      If companies do this out of incompetence, or simple greed, I cannot say. But pretty much weekly (or more), we see these exact stories.

      --
      Lost at C:>. Found at C.
    6. Re:Ahh, the internet of things... by Anonymous Coward · · Score: 0

      How many consumers do really want IoT?

      Now if you are an advertiser, or intelligence agency, then tons of insecure devices is really a gold mine for data mining. No wonder there have been big push in this direction recently.

      Somebody said that temperature data isn't secret, but what if you have a thermometer *indoors*? Then you can determine the number of people present in the room for example.

  2. Taste of things to come by Anonymous Coward · · Score: 5, Insightful

    Wow that's a pretty big oversight. I work in hardware and this sort of stuff is pretty common. I worked for one medical device company that simply XORed their firmware with a fixed 8-bit value to 'encrypt' it. Trouble is that when the design team is trying to fix flow lines on plastic mouldings or get the product through 20k of EMC testing, software security falls to the bottom of the list, and typically a guy who knows how to write embedded code for reading sensors but has no idea what it really means to open a public facing port to the Internet.

    One shudders to think what other debug back doors they have left in there and what sort of shonky TCP/IP library they found on the Internet to stuff into the firmware.

    1. Re:Taste of things to come by AmiMoJo · · Score: 4, Interesting

      I'm looking forward to the first consumer protection law claim on a consumer IoT device. In the UK you could perhaps argue that the device is not fit for purpose, since it can't safely be connected to the internet. The shop you bought it from has "a reasonable length of time" to fix it, which typically means 28 days. If the manufacturer fails to provide an update in that time the shop is screwed and you can get a refund.

      I'm hoping that kind of claim becomes more common. Someone in the UK already got a refund from Amazon when Sony removed features from the PS3. I read that Sony and a few others have already dropped YouTube support from some older smart TVs in Japan, and if it happens in the UK I'd be expecting a partial refund for loss of functionality. The formula is basically the amount of use you have had from the product vs. how long you would expect it to last, multiplied by how much functionality is lost. So, say I spend 1/3rd of my time watching YouTube (possibly an under-estimation, I have a lot of subscripts but don't watch that much TV overall):

      3 year old TV, would reasonably expect it to last at least 10 years (5 year warranty, expensive plasma screen). So 66% of its reasonable life span remaining. 33% loss of functionality. Say I paid £1500 for this thing, I would expect a £326.70 refund if YouTube stopped working. Alternatively the shop could provide something else with equivalent functionality, such as a set top box or smart BluRay player.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. It's a full memory dump by jones_supa · · Score: 4, Informative

    Netatmo states that this is some forgotten debug code that was left in the device.

    It is actually a full memory dump which just happens to contain the WPA password. It seems to have been a legit debug feature, although it of course is a bit stupid that they have left it there. The quality assurance is still a bit crusty with these IoT devices.

    1. Re:It's a full memory dump by Anonymous Coward · · Score: 0

      Feb 13 : Netatmo weather stations no longer send debug information at installation time. Thanks for reporting this.

    2. Re:It's a full memory dump by drinkypoo · · Score: 4, Interesting

      It is actually a full memory dump which just happens to contain the WPA password. It seems to have been a legit debug feature, although it of course is a bit stupid that they have left it there.

      Yeeeeesss, very "stupid"

      They "stupidly" just got themselves a map of APs and their passwords.

      You're probably right, of course, but how could you distinguish this from an actual attack?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:It's a full memory dump by LordLimecat · · Score: 1

      Because this would be a really stupid way to do an attack.

    4. Re:It's a full memory dump by drinkypoo · · Score: 3, Interesting

      Because this would be a really stupid way to do an attack.

      Well, if you think it would be stupid, then it must be a really good way to do it.

      The best thing about an attack done in this way is that the target doesn't know they were targeted. Since netatmo is so careless at security, they wouldn't even have had to have been the ones who made the attack. Someone else could have diddled their code and kept debug on in release.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Maybe I'm not keeping up? by EzInKy · · Score: 2

    I thought WPA was found to be insecure a long time ago! Are there really still entities that depend on it for security?

    --
    Time is what keeps everything from happening all at once.
    1. Re:Maybe I'm not keeping up? by EzInKy · · Score: 2

      Are you sure? I thought WPA2 was created to solve the problems with WPA.

      --
      Time is what keeps everything from happening all at once.
    2. Re:Maybe I'm not keeping up? by EzInKy · · Score: 2

      So WPA2 wasn't necessary? Really looking forward you to enlightening me here.

      --
      Time is what keeps everything from happening all at once.
    3. Re:Maybe I'm not keeping up? by Anonymous Coward · · Score: 1

      Well, Wikipedia tells that WPA was an intermediate standard to quickly get something to replace the unsecure WEP. Later WPA2 became the robust, more polished version of WPA. So if your devices support WPA2, there's no reason to not use it, but it seems that you are not in danger with WPA1 either.

    4. Re:Maybe I'm not keeping up? by Anonymous Coward · · Score: 1

      WPA uses rc4 encryption - which can be cracked by collecting enough packets encypted with the same key. WPA usually ensures the key is rotated before that happens though. WPA2 does not have this known weakness, so it considered to be better.

    5. Re:Maybe I'm not keeping up? by _merlin · · Score: 2

      WPA is TKIP. It's a way of making the network more secure than WEP without requiring major hardware upgrades (uses the same RC4 cipher as WEP). WPA2 introduces AES encryption. IIRC there are known vulnerabilities that allow an attacker to inject packets into a WPA connection.

    6. Re:Maybe I'm not keeping up? by Anonymous Coward · · Score: 1

      Correct, although many WiFi devices support WPA in AES mode too. WPA-AES with a strong preshared key should be pretty good.

    7. Re:Maybe I'm not keeping up? by LordLimecat · · Score: 1

      WPA uses portions from WEP, but AFAIK its not terribly vulnerable because it was designed better. There are "weaknesses" but as I recall current attacks on WPA basically boil down to bruteforce.

    8. Re:Maybe I'm not keeping up? by LordLimecat · · Score: 2

      WPA uses rc4 encryption - which can be cracked by collecting enough packets encypted with the same key

      Unless Im mistaken, RC4 is not in itself vulnerable or broken; it was used very widely in 2011 when AES was under siege by the BEAST attack (Google.com actually used it). The worst that could be said for it (as I understand) is that its a little too simple and fast for people to have full confidence in it, not to mention its age.

      Based on my limited understanding of it, your statement about rotation is sort of kind of correct, but misleading in that it implies that the issue is with RC4 itself and not the specific way that it was implemented.

    9. Re:Maybe I'm not keeping up? by drinkypoo · · Score: 1

      Correct, although many WiFi devices support WPA in AES mode too. WPA-AES with a strong preshared key should be pretty good.

      Similarly, most devices also seem to support WPA2 in TKIP mode.

      If you really want security, you must turn to cert-based IPSEC, with a cert per client. Yes, ugh. So much ugh. But otherwise, who knows what apps are stealing your credentials?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Maybe I'm not keeping up? by Anonymous Coward · · Score: 0

      Indeed! The article gives the impression that any device that you put behind your firewall - on your local network - could have this capability. It places the responsibility to establish trust solely on the end user's shoulders. It seems clear that the supplier did not suffer any appropriate consequences - such as prison time and a bankrupting fine.

      A hookup with most of today's vendors carries less commitment than a Vegas marriage.

  5. Funny by Anonymous Coward · · Score: 0

    So somehow they didint catch the fact that their released product sends them more data then expected? Or that they forgot to disable debug feature in final release compile?

    Makes me wonder what else they have forgotten in firmaware...

  6. The science is settled by Anonymous Coward · · Score: 0

    1) Boost actual temperatures by a degree on a bunch of these stations
    2) Blame it on ManBearPig
    3) ????
    4) Profit!

    1. Re:The science is settled by Retron · · Score: 1

      They *do* seem to overread compared with proper weather stations, if you look at wundermap - although that could be because they're sold more as a fashion accessory than a serious weather instrument and owners may not be siting them properly.

  7. Clarke's razor? Hanlon's Third Law? Oh, My! by Anonymous Coward · · Score: 0

    Any sufficiently advanced malice is indistinguishable from stupidity?

  8. Phones send the same information to their vendors by Anonymous Coward · · Score: 1

    So what else is new? People leave their phones to the default settings which makes them back the wifi passwords "to cloud". In practice the Apple and Google and their "partners" have access to millions of wifi networks. They just gather the data over SSL to avoid leaking that to competitors.

  9. Its a weather station why even have passwords? by Anonymous Coward · · Score: 0

    Why would a weather station reporting weather data even have a password to access it?

    1. Re:Its a weather station why even have passwords? by Anonymous Coward · · Score: 0

      They are not stealing the weather station password.
      They are STEALING the WPA password that would allow them full access to any device on your home network.
      Once they get in, who knows what else they will steal.
      They are not selling a weather station, they are selling a Trojan Horse.
      If I owned this piece of crap, I would demand a full refund and verifiable proof that my information was not retained or shared.

  10. QA? by Anonymous Coward · · Score: 0

    Netatmo states that this is some forgotten debug code that was left in the device.

    That does not give me confidence in their company or their QA team....