Page 1 of 1

WPA2 Vulnerabilities (KRACK) fix

Posted: 17 Oct 2017, 09:02
by Hsd
So this vulnerability is serious.

Can Netatmo provide an update when the weatherstation will receive a fix for this?

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 18 Oct 2017, 19:01
by ALFo
+1

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 19 Oct 2017, 18:05
by gloglo36
+1

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 20 Oct 2017, 17:27
by zomt
+1

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 20 Oct 2017, 18:30
by Brieuc_Netatmo
Hi,
KRACK is a known vulnerability of Wi-Fi protocol that allows a hacker near your Wi-Fi network to read information that passes through it.
All NETATMO products use encrypted and secure protocols (HTTPS or VPN tunnel depending on the product) to communicate via Wi-Fi. This means that only our servers are able to decrypt the data.
Thus, even if a malicious person tries to intercept the information of NETATMO products, he could not decipher it.
Have a nice day!

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 25 Oct 2017, 11:15
by tmoatmo
The practical risk for Netatmo devices is probably very low. But according to the website set up to document the vulnerability at krackattacks dot com , it affects the WIFI standard as a whole and can allow under some circumstances to inject and manipulate data. So while it is OK that the Netatmo device uses the HTTPS protocol to protect the communication between the device and the Netatmo server, it is nevertheless an IOT device running as a WIFI client. The scope of the vulnerabilty seems to go beyond the simple communication between a device and a single server using HTTPS. From reading the various sources of information on the subject, the recommendation seems to be to patch all WIFI clients...

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 25 Oct 2017, 14:14
by Aarto
As far as i understand the vulnerability, attacker can set up a WIFI network with same SSID as mine and make the Netatmo device connect to that WIFI network instead of my network. In which case the attackers can direct the traffic as they please, blocking access to my Netatmo Welcome camera, weather stations, thermostat etc,
Even if attacker cannot decode what my devices are sending, they can still gain control of WHERE my devices are sending the data. That is why all IoT devices should be patched.

Re: WPA2 Vulnerabilities (KRACK) fix

Posted: 19 Dec 2017, 16:11
by jdefuria
All NETATMO products use encrypted and secure protocols (HTTPS or VPN tunnel depending on the product) to communicate via Wi-Fi. This means that only our servers are able to decrypt the data.
Thus, even if a malicious person tries to intercept the information of NETATMO products, he could not decipher it.
It seems as if Brieuc_Netatmo does not understand the vulnerability whatsoever.

Yes, Great for the Netatmo data, but other network traffic could be sniffed and a man-in-the-middle attack could redirect packets on your local wifi. Disheartening to see Netatmo not care about users privacy, because at this point it could be used as the exploit to get into a local network.

If this isn't fixed, the next step is to start with Amazon/Facebook and other social media reviews. While I have been favorable towards Netatmo in the past, if security are not forthcoming, I will make sure other, non tech-savvy individuals will know about the flaws.