Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netatmo Weather Station Sends WPA Passwords In the Clear

Posted by samzenpus on from the out-in-the-open dept.

UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear. From the article: "After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks."

4 of 37 comments (clear)

  1. Ahh, the internet of things... by fuzzyfuzzyfungus · · Score: 4, Interesting

    Why would they shut it down? Clearly this 'feature' is just there to help more things connect themselves to the IoT without inconveniencing the consumer by bothering them for a password!

  2. Re:It's a full memory dump by drinkypoo · · Score: 4, Interesting

    It is actually a full memory dump which just happens to contain the WPA password. It seems to have been a legit debug feature, although it of course is a bit stupid that they have left it there.

    Yeeeeesss, very "stupid"

    They "stupidly" just got themselves a map of APs and their passwords.

    You're probably right, of course, but how could you distinguish this from an actual attack?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Re:Taste of things to come by AmiMoJo · · Score: 4, Interesting

    I'm looking forward to the first consumer protection law claim on a consumer IoT device. In the UK you could perhaps argue that the device is not fit for purpose, since it can't safely be connected to the internet. The shop you bought it from has "a reasonable length of time" to fix it, which typically means 28 days. If the manufacturer fails to provide an update in that time the shop is screwed and you can get a refund.

    I'm hoping that kind of claim becomes more common. Someone in the UK already got a refund from Amazon when Sony removed features from the PS3. I read that Sony and a few others have already dropped YouTube support from some older smart TVs in Japan, and if it happens in the UK I'd be expecting a partial refund for loss of functionality. The formula is basically the amount of use you have had from the product vs. how long you would expect it to last, multiplied by how much functionality is lost. So, say I spend 1/3rd of my time watching YouTube (possibly an under-estimation, I have a lot of subscripts but don't watch that much TV overall):

    3 year old TV, would reasonably expect it to last at least 10 years (5 year warranty, expensive plasma screen). So 66% of its reasonable life span remaining. 33% loss of functionality. Say I paid £1500 for this thing, I would expect a £326.70 refund if YouTube stopped working. Alternatively the shop could provide something else with equivalent functionality, such as a set top box or smart BluRay player.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Re:It's a full memory dump by drinkypoo · · Score: 3, Interesting

    Because this would be a really stupid way to do an attack.

    Well, if you think it would be stupid, then it must be a really good way to do it.

    The best thing about an attack done in this way is that the target doesn't know they were targeted. Since netatmo is so careless at security, they wouldn't even have had to have been the ones who made the attack. Someone else could have diddled their code and kept debug on in release.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"