One of the best parts of Netatmo indoor cameras is their ability to recognize family and ignore them or ignore strangers in your home and warn you. Unfortunately the cameras had a vulnerability which allowed an attacker to access your entire network. The good news is that the vulnerability was difficult to exploit. The best news is the Netatmo problem already fixed.
The purpose of Netatmo’s cameras is to provide security. This further aggravates that a hacker could potentially use one to violate your network. That’s what Bitdefender discovered when he investigated the cameras. As PCMag explains, in a joint venture with Bitdefender, a hacker could potentially take control of your camera and execute the code of their choice.
With this ability, the wrong actor could then do almost anything they wanted on your network.
As Bitdefender explained:
Bitdefender IoT vulnerability research team discovered that device is sensitive to authenticated file writing leading to command execution (CVE-2019-17101), as well as elevation of privileges via dirtyc0w – a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel memory management subsystem.
But exploiting the vulnerability would not have been easy. The hacker needed local access to your camera and to know your login credentials. Breaking into your home and stealing your username and password is no easy task, the most likely scenario seems to be someone you know who decides to break into your network.
Bitdefender pointed out that the vulnerability could have legitimate use. With access to your own camera and your credentials, you can use this method to jailbreak your device. But the security site went on to say that jailbreak scenarios are still vulnerabilities that hackers can exploit.
Fortunately, Bitdefender practiced responsible disclosure and gave Netatmo 90 days to resolve the issue before releasing the information. Netatmo also responded responsibly. He recognized the problem within three days of receiving the report, then turned around and released a patch in less than a month.
As long as security and smart home devices exist, so will vulnerabilities. The important thing is to know how a company reacts to disclosures of vulnerabilities, and Netatmo has done well in this case. If you have a Netatmo indoor camera, you don’t have to do anything. The camera company corrected all of the affected ones.