Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netatmo Weather Station Sends WPA Passwords In the Clear

Posted by samzenpus on from the out-in-the-open dept.

UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear. From the article: "After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks."

2 of 37 comments (clear)

  1. It's a full memory dump by jones_supa · · Score: 4, Informative

    Netatmo states that this is some forgotten debug code that was left in the device.

    It is actually a full memory dump which just happens to contain the WPA password. It seems to have been a legit debug feature, although it of course is a bit stupid that they have left it there. The quality assurance is still a bit crusty with these IoT devices.

  2. Re:Ahh, the internet of things... by Richard_at_work · · Score: 3, Informative

    What does this have to do with a newfangled marketing term? We've seen routers, access points and all manner of devices do this sort of thing since the 1990s - data leakage, deliberate or otherwise, its not a new thing.