We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Netatmo Patches a Gaping Security Hole in Its Security Camera

A Netatmo indoor camera next to a set of keys.

One of the best parts about Netatmo indoor cameras is their capability to recognize family and ignore them or strangers in your house and warn you. Unfortunately, the cameras had a vulnerability that allowed an attacker to gain access to your entire network. The good news is, the vulnerability was difficult to exploit. The better news is Netatmo already patched issue.

The point of Netatmo’s cameras is to provide security. That makes it all the worse that a hacker could potentially use one to breach your network. That’s what Bitdefender discovered when it investigated the cameras. As PCMag explains, in a joint venture with Bitdefender, a hacker could potentially take over your camera and run any code they wanted.

With that capability, the bad actor could then do nearly anything they wanted on your network.
As Bitdefender explained:

The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.

But, exploiting the vulnerability wouldn’t have been easy. The hacker needed local access to your camera and to know your login credentials. Breaking into your house and stealing your username and password is no small feat, the most plausible scenario seems like someone you know deciding to break into your network.

Bitdefender did point out that the vulnerability could have a legitimate use. With access to your own camera and your credentials, you could use this method to jailbreak your device. But the security site went on to say that jailbreak scenarios are still vulnerabilities that hackers can exploit.

Thankfully Bitdefender practiced responsible disclosure and gave Netatmo 90 days to fix the issue before making the information public. For its part, Netatmo responded responsibly too. It acknowledged the issue within three days of receiving the report, and then turned around and released a patch in less than a month.

As long as security and smart home devices exist, so will vulnerabilities. The important part is how a company responds to vulnerability disclosures, and Netatmo did well in this instance. If you own a Netatmo indoor camera, you don’t need to do anything. The camera company patched every affected.

via PCMag, Bitdefender

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »