Daxdi now accepts payments with Bitcoin

Exclusive: Netatmo Patches Security Hole in Indoor Camera

From video doorbells to remote-controlled baby monitors, we can manage home security in an amazing number of ways.

In this modern world, home security cameras have evolved light-years beyond the antiquated motion sensors that would sound the alarm because your cat jumped on the counter.

The Netatmo Smart Indoor Security Camera (formerly the Netatmo Welcome) is smart indeed—it can recognize faces of your family and ignore their activities, yet still alert you if it sees a stranger.

However, like any Internet of Things (IoT) device, it can potentially jeopardize your privacy if not properly secured.

Indeed, Bitdefender discovered that this camera had a flaw that could have let a very determined attacker penetrate your Wi-Fi network.

But don’t worry; it’s already been fixed.

An Inside Job

We at Daxdi are engaged in an ongoing partnership with the Internet of Things security team at Bitdefender.

We let the team know which devices are popular with our readers.

They torture-test the devices based on years of white hat hacking experience, looking for security vulnerabilities.

Before they (and we) reveal their findings, they give the device’s maker 90 days to fix any problems.

Trust us; there are always problems.

Note that the Netatmo device in the current report wasn’t from our list; in this case, the researchers made their own selection.

We have reviewed the Netatmo Presence and found it excellent, but that's an outdoor security camera.

Bitdefender’s results are for the Smart Indoor Camera and can’t be extrapolated to the Presence, as they did not test it.

If we were Netatmo developers, though, we’d certainly check for the same problem in other devices.

Sometimes a security flaw is a gaping hole, like the problem Bitdefender discovered with an iBaby monitor that allowed any one user to view videos from all users.

The security problem found in the Netatmo device was much more subtle and much harder to exploit.

From Bitdefender's blog post on the subject:

"The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem."

Bitdefender’s Jay Balan explained to Daxdi that his team found an error in a script that manages the device’s configuration.

By leveraging this error, an attacker could run arbitrary code on the underlying operating system.

Balan also discovered that it was possible to escalate privileges on the device, meaning a successful attacker could entirely bend the camera to their will.

That may not sound big, but the ability to run arbitrary code means the attacker could do just about anything on your network, not just on the device.

You might not mind about an attacker accessing your camera (which is a bit of a strange stance to take), but you might care a lot if the attacker can then pivot from your camera to your laptop that's laden with personal information.

Previously, Bitdefender discovered a vulnerability with a Ring doorbell, where an attacker would have had to stake out your house, nearby enough to tap into the Wi-Fi.

The attack involved disabling the doorbell’s connectivity, then catching the interaction whenever you noticed and ran through the initial configuration again.

That’s a pretty difficult attack, but weaseling into the Netatmo Smart Indoor Camera would be even harder.

Balan explained that the attacker would need local access to the camera, along with login credentials for a user account.

So, the attacker would have to guess your login credentials or obtain them with a phishing attack.

That’s not impossible, but effectively, it would have to be an inside job.

However, after the exploit, the attacker would have a beachhead in your network, remotely controlled using a VPN.

Balan pointed out that people might not be careful with their credentials, thinking it ’s not a big deal if someone sees the video feed.

Again, that’s not the real danger.

This exploit lets an attacker gain access to your network and its devices.

This particular vulnerability is nuanced, and the researchers acknowledge that it could actually be used for legitimate purposes.

Again, from Bitdefender's blog post:

"[...] the vulnerabilities outlined here may help a legitimate user or a third party in possession of the correct credentials to jailbreak the device and completely own it.

And, while we'll let you imagine a valid real-world scenario in which you'd pwn your own device, we'd also like to remind keen visitors to our blog that the ability to jailbreak is still a vulnerability and should be regarded as such."
-

How the Camera Is Supposed to Work

As noted, you can program the Netatmo camera to ignore your family members or other residents.

It won’t freak out just because your kid came home from school early.

But if it spots an unknown face, it sends an alert, with a photo and even HD 1080p video.

Maybe your burglar is sneaking in under cover of darkness? No worries.

Netatmo uses infrared, so you still get video.

This camera also alerts you when it hears an alarm.

That could be a smoke alarm, another security system, or even an emergency siren.

Here, too, it sends a video along with its alert.

Netatmo retains security videos on a local microSD card, so you can, for example, share them with the police.

You can also configure it to slip those videos into your Dropbox account, or your personal FTP server.

(You do have a personal FTP server, right?)

Recommended by Our Editors

A Good Response From Netatmo

The story ends very well, fortunately.

Bitdefender contacted Netatmo on December 20th, 2019 and revealed the minor problem with the script.

Netatmo acknowledged the problem in just three days—an admirably fast turnaround time.

By mid-January, Netatmo had already developed a patch to fix the problem.

That's especially impressive, considering that it fell over the winter holidays.

Our view at Daxdi is that in most cases, a security issue isn't as important as how a company handles the response.

When a company avoids responsibility by ignoring researchers or trying to cover up an embarrassing security event, it hurts customers far more than a vulnerability or data breach.

Netatmo handled this issue in a way that inspires confidence, which is exactly what we like to see.

White Hat Hacking

When we reported a security hole that the Bitdefender team unearthed in the popular Ring Video Doorbell, Ring came up with a fix and pushed out a firmware update to protect affected devices.

Belkin, too, quickly fixed the vulnerability Bitdefender found in its Wemo Smart Plug.

As mentioned earlier, Bitdefender also found security flaws in the iBaby Monitor M6S baby monitor.

The researchers made valiant efforts to contact the company’s security team, but never got through.

Fortunately, our reporting got the attention of iBaby’s CEO, and the security holes were fixed within just a few days.

These success stories are just what we hoped for with this partnership.

We have no interest in publicly shaming device makers.

Rather, we aim to improve safety and security for our readers who use the devices.

Just about any device can be internet-aware these days, from smoke alarms to smart light bulbs.

And device makers don’t necessarily think about making security a priority, even in devices like cameras whose aim is security.

A strong examination by a security red team almost always turns up problems for the manufacturer to fix.

We at Daxdi will continue to point out devices for the Bitdefender team to evaluate, and to report on just what was found, and what was fixed.

From video doorbells to remote-controlled baby monitors, we can manage home security in an amazing number of ways.

In this modern world, home security cameras have evolved light-years beyond the antiquated motion sensors that would sound the alarm because your cat jumped on the counter.

The Netatmo Smart Indoor Security Camera (formerly the Netatmo Welcome) is smart indeed—it can recognize faces of your family and ignore their activities, yet still alert you if it sees a stranger.

However, like any Internet of Things (IoT) device, it can potentially jeopardize your privacy if not properly secured.

Indeed, Bitdefender discovered that this camera had a flaw that could have let a very determined attacker penetrate your Wi-Fi network.

But don’t worry; it’s already been fixed.

An Inside Job

We at Daxdi are engaged in an ongoing partnership with the Internet of Things security team at Bitdefender.

We let the team know which devices are popular with our readers.

They torture-test the devices based on years of white hat hacking experience, looking for security vulnerabilities.

Before they (and we) reveal their findings, they give the device’s maker 90 days to fix any problems.

Trust us; there are always problems.

Note that the Netatmo device in the current report wasn’t from our list; in this case, the researchers made their own selection.

We have reviewed the Netatmo Presence and found it excellent, but that's an outdoor security camera.

Bitdefender’s results are for the Smart Indoor Camera and can’t be extrapolated to the Presence, as they did not test it.

If we were Netatmo developers, though, we’d certainly check for the same problem in other devices.

Sometimes a security flaw is a gaping hole, like the problem Bitdefender discovered with an iBaby monitor that allowed any one user to view videos from all users.

The security problem found in the Netatmo device was much more subtle and much harder to exploit.

From Bitdefender's blog post on the subject:

"The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem."

Bitdefender’s Jay Balan explained to Daxdi that his team found an error in a script that manages the device’s configuration.

By leveraging this error, an attacker could run arbitrary code on the underlying operating system.

Balan also discovered that it was possible to escalate privileges on the device, meaning a successful attacker could entirely bend the camera to their will.

That may not sound big, but the ability to run arbitrary code means the attacker could do just about anything on your network, not just on the device.

You might not mind about an attacker accessing your camera (which is a bit of a strange stance to take), but you might care a lot if the attacker can then pivot from your camera to your laptop that's laden with personal information.

Previously, Bitdefender discovered a vulnerability with a Ring doorbell, where an attacker would have had to stake out your house, nearby enough to tap into the Wi-Fi.

The attack involved disabling the doorbell’s connectivity, then catching the interaction whenever you noticed and ran through the initial configuration again.

That’s a pretty difficult attack, but weaseling into the Netatmo Smart Indoor Camera would be even harder.

Balan explained that the attacker would need local access to the camera, along with login credentials for a user account.

So, the attacker would have to guess your login credentials or obtain them with a phishing attack.

That’s not impossible, but effectively, it would have to be an inside job.

However, after the exploit, the attacker would have a beachhead in your network, remotely controlled using a VPN.

Balan pointed out that people might not be careful with their credentials, thinking it ’s not a big deal if someone sees the video feed.

Again, that’s not the real danger.

This exploit lets an attacker gain access to your network and its devices.

This particular vulnerability is nuanced, and the researchers acknowledge that it could actually be used for legitimate purposes.

Again, from Bitdefender's blog post:

"[...] the vulnerabilities outlined here may help a legitimate user or a third party in possession of the correct credentials to jailbreak the device and completely own it.

And, while we'll let you imagine a valid real-world scenario in which you'd pwn your own device, we'd also like to remind keen visitors to our blog that the ability to jailbreak is still a vulnerability and should be regarded as such."
-

How the Camera Is Supposed to Work

As noted, you can program the Netatmo camera to ignore your family members or other residents.

It won’t freak out just because your kid came home from school early.

But if it spots an unknown face, it sends an alert, with a photo and even HD 1080p video.

Maybe your burglar is sneaking in under cover of darkness? No worries.

Netatmo uses infrared, so you still get video.

This camera also alerts you when it hears an alarm.

That could be a smoke alarm, another security system, or even an emergency siren.

Here, too, it sends a video along with its alert.

Netatmo retains security videos on a local microSD card, so you can, for example, share them with the police.

You can also configure it to slip those videos into your Dropbox account, or your personal FTP server.

(You do have a personal FTP server, right?)

Recommended by Our Editors

A Good Response From Netatmo

The story ends very well, fortunately.

Bitdefender contacted Netatmo on December 20th, 2019 and revealed the minor problem with the script.

Netatmo acknowledged the problem in just three days—an admirably fast turnaround time.

By mid-January, Netatmo had already developed a patch to fix the problem.

That's especially impressive, considering that it fell over the winter holidays.

Our view at Daxdi is that in most cases, a security issue isn't as important as how a company handles the response.

When a company avoids responsibility by ignoring researchers or trying to cover up an embarrassing security event, it hurts customers far more than a vulnerability or data breach.

Netatmo handled this issue in a way that inspires confidence, which is exactly what we like to see.

White Hat Hacking

When we reported a security hole that the Bitdefender team unearthed in the popular Ring Video Doorbell, Ring came up with a fix and pushed out a firmware update to protect affected devices.

Belkin, too, quickly fixed the vulnerability Bitdefender found in its Wemo Smart Plug.

As mentioned earlier, Bitdefender also found security flaws in the iBaby Monitor M6S baby monitor.

The researchers made valiant efforts to contact the company’s security team, but never got through.

Fortunately, our reporting got the attention of iBaby’s CEO, and the security holes were fixed within just a few days.

These success stories are just what we hoped for with this partnership.

We have no interest in publicly shaming device makers.

Rather, we aim to improve safety and security for our readers who use the devices.

Just about any device can be internet-aware these days, from smoke alarms to smart light bulbs.

And device makers don’t necessarily think about making security a priority, even in devices like cameras whose aim is security.

A strong examination by a security red team almost always turns up problems for the manufacturer to fix.

We at Daxdi will continue to point out devices for the Bitdefender team to evaluate, and to report on just what was found, and what was fixed.

Daxdi

pakapuka.com Cookies

At pakapuka.com we use cookies (technical and profile cookies, both our own and third-party) to provide you with a better online experience and to send you personalized online commercial messages according to your preferences. If you select continue or access any content on our website without customizing your choices, you agree to the use of cookies.

For more information about our cookie policy and how to reject cookies

access here.

Preferences

Continue