The security camera with a friendly name of “Welcome” keeps a watchful eye on its surroundings with a maximum resolution of 1920 x 1080 and sends what it sees either per stream to the app, onto an SD card, the Dropbox cloud storage or an FTP server. The special feature on this camera is the built-in facial recognition that warns the user if previously unknown persons appear in front of the camera.
Well-encrypted remote access
The remote access looks good. As we were able to examine with the tools Wireshark and mitmproxy, both the app and the camera communicate in encrypted mode via TLS 1.2 with the server, and these connections are also secured against simple man-in-the-middle routines. The following illustration shows an excerpt from Wireshark. There one can see that communication is made via a secured connection, using sufficiently secure encryption, and a basic man-in-the-middle attack is fended off by the server with the message indicating an unknown certificate.
The quick test was unable to uncover any status information from the system, and no unsecured recordings or images from the Android app could be identified on the smartphone. Through the installation of our own root certificate on the test smartphone, we were indeed able to successfully carry out a man-in-the-middle attack, for example on the login. The following illustration shows the result in mitmproxy.
In practical terms, however, this does not constitute an actual threat, as an attacker is not readily able to do this. That’s good, and it’s the way things ought to be. Unfortunately, however, there is a small caveat, or specifically, there are actually several.
Attacks in the local network
The local communication is unencrypted, which means it is potentially possible for attackers in the local network to hack into video recordings in TS format. Apparently this threat is considered remote by the manufacturer. This is somewhat naïve, because should a device in the network become infected or otherwise compromised, e.g. the PC, router or other IoT devices, the camera is also in the hands of the attacker.
Yet there is also an option of intercepting videos during transmission into the Internet. With the FTP backup, netatmo offers the option of uploading videos per FTP onto an online storage medium. The corresponding FTP connection is not encrypted, thus every intermediary through which the data passes on its way from the camera to the FTP server is also able to monitor the videos, but also the FTP access data. It should be mentioned once again that this is optional and deactivated in the default settings. However, the description in the app could give users a false sense of security, as it still refers to videos being encrypted using this method.
In our test, it was possible in this manner to intercept the videos and to easily play them with the VLC player, which would not have been possible with encryption.
An additional point of criticism concerns the netatmo program for product optimization. Users by default participate in this program and by doing so, allow netatmo to use the images of the camera in action. Officially, these images are used by the manufacturer in order to improve the algorithm of facial recognition, yet precise framework conditions are not specified. What’s more, the layout of the website makes it easy for the user to overlook the relevant statements on the website. It is also questionable how the rights of third parties, e.g. guests, are to be handled. After all, they are also recorded biometrically by netatmo.
In summary, it can be said that in principle, netatmo offers a good protection concept, at least for external attacks. However, users should refrain from using the FTP backup and bear in mind the vulnerabilities concerning local attacks. What’s more, they should consider whether they really want to participate in a program for improving facial recognition.