jimmy-sonny/NetatmoExploit

Netatmo vulnerability to recover WiFi SSID and passwords in clear saved on the device

Netatmo exploit

Working on firmware version <= v119

Description

Affected product: Netatmo Weather Station

By emulating the same usb commands of the Desktop or Mobile application used to setup the indoor sensor module, it is possible to retrieve the Wifi SSID and Password of the networks to which the station is configured in cleartext. No authentication is required. The vulnerability can be exploited both via USB or Bluetooth. The exploit requires a physical access to the device using USB cable or touching an upper button on the indoor module to activate the Bluetooth. The affected firmware versions of the indoor module are those previous v119.

Requirements

python3

pip install numpy
pip install hidapi

do not install hid

PoC Exploit

A proof of concept exploit for the USB port is available for:

• python2: exploit_usb.py
• python3: exploit_usb_v3.py

Timeline

• Discovered and reported 13/02/2016
• Acknowledge from Netatmo 18/02/2016
• Officially Fixed in release v120 on 08/03/2016