One of the best parts about Netatmo indoor cameras is their capability to recognize family and ignore them or strangers in your house and warn you. Unfortunately, the cameras had a vulnerability that allowed an attacker to gain access to your entire network. The good news is, the vulnerability was difficult to exploit. The better news is Netatmo already patched issue.
The point of Netatmo’s cameras is to provide security. That makes it all the worse that a hacker could potentially use one to breach your network. That’s what Bitdefender discovered when it investigated the cameras. As PCMag explains, in a joint venture with Bitdefender, a hacker could potentially take over your camera and run any code they wanted.
With that capability, the bad actor could then do nearly anything they wanted on your network.
As Bitdefender explained:
The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.
But, exploiting the vulnerability wouldn’t have been easy. The hacker needed local access to your camera and to know your login credentials. Breaking into your house and stealing your username and password is no small feat, the most plausible scenario seems like someone you know deciding to break into your network.
Bitdefender did point out that the vulnerability could have a legitimate use. With access to your own camera and your credentials, you could use this method to jailbreak your device. But the security site went on to say that jailbreak scenarios are still vulnerabilities that hackers can exploit.
Thankfully Bitdefender practiced responsible disclosure and gave Netatmo 90 days to fix the issue before making the information public. For its part, Netatmo responded responsibly too. It acknowledged the issue within three days of receiving the report, and then turned around and released a patch in less than a month.
As long as security and smart home devices exist, so will vulnerabilities. The important part is how a company responds to vulnerability disclosures, and Netatmo did well in this instance. If you own a Netatmo indoor camera, you don’t need to do anything. The camera company patched every affected.