Exclusive: Netatmo Patches Security Hole in Indoor Camera
From video doorbells to remote-controlled baby monitors, we can
manage home security in an amazing number of ways. In this modern world, home security cameras have evolved light-years beyond the antiquated motion sensors
that would sound the alarm because your cat jumped on the counter. The Netatmo
Smart Indoor Security Camera (formerly the Netatmo Welcome) is smart indeed—it can recognize faces of your
family and ignore their activities, yet still alert you if it sees a stranger.
However, like any Internet of Things (IoT) device, it can
potentially jeopardize your privacy if not properly secured. Indeed, Bitdefender discovered that this camera had a flaw that could have let a very determined attacker penetrate your
Wi-Fi network. But don’t worry; it’s already been fixed.
An Inside Job
We at PCMag are engaged in an ongoing partnership with the Internet
of Things security team at Bitdefender. We let the team know which devices
are popular with our readers. They torture-test the devices based on years of white
hat hacking experience, looking for security vulnerabilities.
Before they (and we) reveal their findings, they give the device’s maker 90
days to fix any problems. Trust us; there are always problems.
Note that the Netatmo device in the current report wasn’t
from our list; in this case, the researchers made their own selection. We have reviewed the Netatmo Presence and
found it excellent, but that’s an outdoor security camera. Bitdefender’s results are for the Smart Indoor Camera and can’t
be extrapolated to the Presence, as they did not test it. If we were Netatmo
developers, though, we’d certainly check for the same problem in other devices.
Sometimes a security flaw is a gaping hole, like the problem
Bitdefender discovered with an iBaby monitor that allowed any one user to view videos from all users. The security problem found in the Netatmo device was much more
subtle and much harder to exploit.
From Bitdefender’s blog post on the subject:
“The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.”
Bitdefender’s Jay Balan explained to PCMag that his team found an
error in a script that manages the device’s configuration. By leveraging this
error, an attacker could run arbitrary code on the underlying operating system.
Balan also discovered that it was possible to escalate privileges on the
device, meaning a successful attacker could entirely bend the camera to their
will. That may not sound big, but the ability to run arbitrary code means the
attacker could do just about anything on your network, not just on the device.
You might not mind about an attacker accessing your camera (which is a bit of a
strange stance to take), but you might care a lot if the attacker can then
pivot from your camera to your laptop that’s laden with personal information.
Previously, Bitdefender discovered a vulnerability with a
Ring doorbell, where an attacker would have had to stake out your house, nearby
enough to tap into the Wi-Fi. The attack involved disabling the doorbell’s
connectivity, then catching the interaction whenever you noticed and ran
through the initial configuration again. That’s a pretty difficult attack, but
weaseling into the Netatmo Smart Indoor Camera would be even harder.
Balan explained that the attacker would need local access to
the camera, along with login credentials for a user account. So, the attacker
would have to guess your login credentials or obtain them with a phishing
attack. That’s not impossible, but effectively, it would have to be an inside
job. However, after the exploit, the attacker would have a beachhead in your
network, remotely controlled using a VPN.
Balan pointed out that people might not be careful with
their credentials, thinking it ’s not a big deal if someone sees the video
feed. Again, that’s not the real danger. This exploit lets an attacker gain
access to your network and its devices.
This particular vulnerability is nuanced, and the researchers acknowledge that it could actually be used for legitimate purposes. Again, from Bitdefender’s blog post:
“[…] the vulnerabilities outlined here may help a legitimate user or a third party in possession of the correct credentials to jailbreak the device and completely own it. And, while we’ll let you imagine a valid real-world scenario in which you’d pwn your own device, we’d also like to remind keen visitors to our blog that the ability to jailbreak is still a vulnerability and should be regarded as such.”
How the Camera Is Supposed to Work
As noted, you can program the Netatmo camera to ignore your
family members or other residents. It won’t freak out just because your kid
came home from school early. But if it spots an unknown face, it sends an
alert, with a photo and even HD 1080p video. Maybe your burglar is sneaking in
under cover of darkness? No worries. Netatmo uses infrared, so you still get
video.
This camera also alerts you when it hears an alarm. That
could be a smoke alarm, another security system, or even an emergency siren.
Here, too, it sends a video along with its alert. Netatmo retains security
videos on a local microSD card, so you can, for example, share them with the
police. You can also configure it to slip those videos into your Dropbox account, or your personal
FTP server. (You do have a personal FTP server, right?)
A Good Response From Netatmo
The story ends very well, fortunately. Bitdefender contacted Netatmo on December 20th, 2019 and
revealed the minor problem with the script. Netatmo acknowledged the problem in just three days—an admirably fast turnaround time. By mid-January, Netatmo had already developed a patch to fix the problem. That’s especially impressive, considering that it fell over the winter holidays.
Our view at PCMag is that in most cases, a security issue isn’t as important as how a company handles the response. When a company avoids responsibility by ignoring researchers or trying to cover up an embarrassing security event, it hurts customers far more than a vulnerability or data breach. Netatmo handled this issue in a way that inspires confidence, which is exactly what we like to see.
White Hat Hacking
When we reported a security hole that the Bitdefender team
unearthed in the popular Ring
Video Doorbell, Ring came up with a fix and pushed out a firmware update to
protect affected devices. Belkin, too, quickly fixed the vulnerability Bitdefender found in its Wemo
Smart Plug.
As mentioned earlier, Bitdefender also found security flaws in the iBaby Monitor M6S
baby monitor. The researchers made valiant efforts to contact the company’s
security team, but never got through. Fortunately, our reporting got the
attention of iBaby’s CEO, and the
security holes were fixed within just a few days.
These success stories are just what we hoped for with this
partnership. We have no interest in publicly shaming device makers. Rather, we aim
to improve safety and security for our readers who use the devices.
Just about any device can be internet-aware
these days, from smoke alarms to smart light bulbs. And device makers don’t
necessarily think about making security a priority, even in devices like
cameras whose aim is security. A strong examination by a security red team
almost always turns up problems for the manufacturer to fix. We at PCMag will
continue to point out devices for the Bitdefender team to evaluate, and to report
on just what was found, and what was fixed.
