Netatmo Weather Station Sends WPA Passwords In the Clear

UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear. From the article: "After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks."

Taste of things to come

Wow that's a pretty big oversight. I work in hardware and this sort of stuff is pretty common. I worked for one medical device company that simply XORed their firmware with a fixed 8-bit value to 'encrypt' it. Trouble is that when the design team is trying to fix flow lines on plastic mouldings or get the product through 20k of EMC testing, software security falls to the bottom of the list, and typically a guy who knows how to write embedded code for reading sensors but has no idea what it really means to open a public facing port to the Internet.

One shudders to think what other debug back doors they have left in there and what sort of shonky TCP/IP library they found on the Internet to stuff into the firmware.

Re:Ahh, the internet of things...

[fuzzyfuzzyfungus]

There is no direct causal connection, as you say, embedded security has been pretty much crap for ages, particularly in the cheap seats; but it is the case that 'IoT' manages to combine a disturbing enthusiasm for giving anything and everything firmware and an IP address with a security record at least as slapdash and atrocious, if not more, as other low-end embedded vendors, which makes them a particularly messy case.

Re:Ahh, the internet of things...

[AmiMoJo]

Sometimes I think the situation is hopeless. Consumers want the lowest possible price and see many items as commodities. Security is expensive.