It’s well-known: Often one forgets to ventilate – lack of concentration and tiredness are the result. Air quality sensors can help here – we took a look at the weather station and the Home Coach from Netatmo and put it on the security test bench.
At first glance, Netatmo Weather and Home Coach look very similar, except for the case color. The features are similar as well, but the purpose is slightly different. The Netatmo Weather has been on the market for several years now and provides the user with all kinds of useful sensor data thanks to its thermo- and barometer, moisture and CO2 meter, and noise measurement. Among other things, the CO2 concentration (in ppm) is used to display the air quality in the room. This is where the Netatmo Home Coach steps in and actively notifies about the current air quality.
Even though Netatmo Weather and Home Coach are very similar, two different apps are needed to access them. The Netatmo Weather app (Android, iOS) displays all data of the weather station, Netatmo Healthy Home Coach (Android, iOS) allows you to access the watcher of the indoor climate.
Both apps were subjected to a static and dynamic analysis. They did not reveal any critical weaknesses, even though there were some minor points in both that the manufacturer should take a look at. These include compiler flags that should be set to prevent buffer overflow attacks. Overall, however, the security concept of the apps can be considered solid.
The Netatmo devices are completely cloud-based and can therefore only be accessed via the Internet. We did not detect any local communication after setup.
The internet communication of both Netatmo devices and apps was encrypted at all times. While the apps use standard protocols (TLS1.2), the communication of the Netatmo devices with the manufacturer’s cloud seems to use proprietary encryption. Even if the data transmitted in this case is not highly confidential, we would recommend encryption using standard protocols.