Please create an account to participate in the Slashdot moderation system


Forgot your password?
Encryption Security Technology

Netatmo Weather Station Sends WPA Passwords In the Clear 37

UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear. From the article: "After reporting the bug to Netatmo, the company responded, acknowledging that it does indeed dump all that data from the weather station’s memory unencrypted and that it would stop doing that the coming weeks."
This discussion has been archived. No new comments can be posted.

Netatmo Weather Station Sends WPA Passwords In the Clear

Comments Filter:
  • by fuzzyfuzzyfungus ( 1223518 ) on Friday February 13, 2015 @05:18AM (#49045635) Journal
    Why would they shut it down? Clearly this 'feature' is just there to help more things connect themselves to the IoT without inconveniencing the consumer by bothering them for a password!
    • by Richard_at_work ( 517087 ) <> on Friday February 13, 2015 @07:40AM (#49045971)

      What does this have to do with a newfangled marketing term? We've seen routers, access points and all manner of devices do this sort of thing since the 1990s - data leakage, deliberate or otherwise, its not a new thing.

      • by fuzzyfuzzyfungus ( 1223518 ) on Friday February 13, 2015 @08:19AM (#49046097) Journal
        There is no direct causal connection, as you say, embedded security has been pretty much crap for ages, particularly in the cheap seats; but it is the case that 'IoT' manages to combine a disturbing enthusiasm for giving anything and everything firmware and an IP address with a security record at least as slapdash and atrocious, if not more, as other low-end embedded vendors, which makes them a particularly messy case.
    • Honestly, this is just the on-going demonstration of the fact that most network-enabled consumer products are garbage, written by incompetent and lazy idiots, who neither know nor care about your security or privacy, and pushed out the door by greedy bastards.

      Until there are real penalties for doing crap like this ... I just assume that all things which want to connect to the internet will probably be insecure and dangerous, and therefore won't trust them.

      It's pretty much happening so often that it's a safe

  • by Anonymous Coward on Friday February 13, 2015 @05:21AM (#49045643)

    Wow that's a pretty big oversight. I work in hardware and this sort of stuff is pretty common. I worked for one medical device company that simply XORed their firmware with a fixed 8-bit value to 'encrypt' it. Trouble is that when the design team is trying to fix flow lines on plastic mouldings or get the product through 20k of EMC testing, software security falls to the bottom of the list, and typically a guy who knows how to write embedded code for reading sensors but has no idea what it really means to open a public facing port to the Internet.

    One shudders to think what other debug back doors they have left in there and what sort of shonky TCP/IP library they found on the Internet to stuff into the firmware.

    • by AmiMoJo ( 196126 ) * <mojo@world3.nBLUEet minus berry> on Friday February 13, 2015 @08:08AM (#49046047) Homepage Journal

      I'm looking forward to the first consumer protection law claim on a consumer IoT device. In the UK you could perhaps argue that the device is not fit for purpose, since it can't safely be connected to the internet. The shop you bought it from has "a reasonable length of time" to fix it, which typically means 28 days. If the manufacturer fails to provide an update in that time the shop is screwed and you can get a refund.

      I'm hoping that kind of claim becomes more common. Someone in the UK already got a refund from Amazon when Sony removed features from the PS3. I read that Sony and a few others have already dropped YouTube support from some older smart TVs in Japan, and if it happens in the UK I'd be expecting a partial refund for loss of functionality. The formula is basically the amount of use you have had from the product vs. how long you would expect it to last, multiplied by how much functionality is lost. So, say I spend 1/3rd of my time watching YouTube (possibly an under-estimation, I have a lot of subscripts but don't watch that much TV overall):

      3 year old TV, would reasonably expect it to last at least 10 years (5 year warranty, expensive plasma screen). So 66% of its reasonable life span remaining. 33% loss of functionality. Say I paid £1500 for this thing, I would expect a £326.70 refund if YouTube stopped working. Alternatively the shop could provide something else with equivalent functionality, such as a set top box or smart BluRay player.

  • by jones_supa ( 887896 ) on Friday February 13, 2015 @05:32AM (#49045675)

    Netatmo states that this is some forgotten debug code that was left in the device.

    It is actually a full memory dump which just happens to contain the WPA password. It seems to have been a legit debug feature, although it of course is a bit stupid that they have left it there. The quality assurance is still a bit crusty with these IoT devices.

  • I thought WPA was found to be insecure a long time ago! Are there really still entities that depend on it for security?

  • So what else is new? People leave their phones to the default settings which makes them back the wifi passwords "to cloud". In practice the Apple and Google and their "partners" have access to millions of wifi networks. They just gather the data over SSL to avoid leaking that to competitors.

Friction is a drag.