I have the bad habit of playing with home automation and various data acquisition tools. I could quit any time ifI wanted to, but so far, I decided not to. My latest toy to add to the collection was a Netatmo" />
Setting up the device was pretty straight forward, and looked secure. It requires connecting to the device via USB, and a custom application is used to configure the device with your username, password and WiFi settings including the WiFi password. After the initial setup, the station needs USB for power only, and communicates via WiFi to the Cloud.
But after the simple setup, a nice surprise">[**] [1:1000284:0] WPA PSK Passphrase Leak [**] [Priority: 0] {TCP} a.b.c.d:21908 - 195.154.176.41:25050
I do have a custom rule in my snort rule set, alerting me of the passphrase">alert ip any any - msg: WPA PSK Passphrase Leak content: [Iamnotgoingtotellyou] )
So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to the cloud, along with some other data. The data include the weather stations MAC address, the SSIDof the WiFi network, and some hex encoded snippets.
Not only should data like this not be transmitted in the clear, but in addition, there is no need for Netatmo to know the WPA password for my network.">">We will remove this debug memory very soon (coming weeks).
So far I havent seen any additional transmissions from the weather station containing the password, even after restarting it. I didnt do a full factory reset yet.But in general, the data appears to be unencrypted. The MAC address of the station and the outdoor sensor are easily found in the payload. So far, I couldnt find a documentation for the protocol, so it will take a bit more time to reverse it.
According to the weather station map provided by Netatmo, these devices are already quite popuplar. Here a snapshot of the map in my Neighborhood" />
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.