Failure To Remove Debug Code Results In WiFi Password Transmitted In Plain Text

The Netatmo weather station was released with debug code left in the production code that resulted in the user’s WiFi password being transmitted in the clear and stored “in the cloud.” There is a patch available for this vulnerability, however, it illustrates three important facts: 1) that you need to keep up on patches, 2) be certain where you data is going, and 3) if you are conducting a pentest listen to the network. As we say here at Protocol 46: Own the network, Own the data!

You can find the excellent article on this vulnerability at: https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/

Post by Protocol 46