[personal profile] mjg59
Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it's surprisingly competent. Hardware-wise, the device is pretty minimal - it seems to be based on the Cypress[1] WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It's running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it's pleasingly minimal.

That single port seems to be a COAP server running with DTLS and a pre-shared key that's printed on the bottom of the device. When you start the app for the first time it prompts you to scan a QR code that's just a machine-readable version of that key. The Android app has code for using the insecure COAP port rather than the encrypted one, but the device doesn't respond to queries there so it's presumably disabled in release builds. It's also local only, with no cloud support. You can program timers, but they run on the device. The only other service it seems to run is an mdns responder, which responds to the _coap._udp.local query to allow for discovery.

From a security perspective, this is pretty close to ideal. Having no remote APIs means that security is limited to what's exposed locally. The local traffic is all encrypted. You can only authenticate with the device if you have physical access to read the (decently long) key off the bottom. I haven't checked whether the DTLS server is actually well-implemented, but it doesn't seem to respond unless you authenticate first which probably covers off a lot of potential risks. The SoC has wireless support, but it seems to be disabled - there's no antenna on board and no mechanism for configuring it.

However, there's one minor issue. On boot the device grabs the current time from pool.ntp.org (fine) but also hits http://fw.ota.homesmart.ikea.net/feed/version_info.json . That file contains a bunch of links to firmware updates, all of which are also downloaded over http (and not https). The firmware images themselves appear to be signed, but downloading untrusted objects and then parsing them isn't ideal. Realistically, this is only a problem if someone already has enough control over your network to mess with your DNS, and being wired-only makes this pretty unlikely. I'd be surprised if it's ever used as a real avenue of attack.

Overall: as far as design goes, this is one of the most secure IoT-style devices I've looked at. I haven't examined the COAP stack in detail to figure out whether it has any exploitable bugs, but the attack surface is pretty much as minimal as it could be while still retaining any functionality at all. I'm impressed.

[1] Formerly Broadcom

Date: 2017-04-09 02:00 am (UTC)
From: (Anonymous)
Reading up on the product it seems like they want to add 'away from home' features in the future that would probably contact their servers. Would you retest if/when they do?

COAP

Date: 2017-04-09 02:05 am (UTC)
From: (Anonymous)
There is some more info on COAP and TRÅDFRI here: https://bitsex.net/software/2017/coap-endpoints-on-ikea-tradfri/

Date: 2017-04-09 02:36 am (UTC)
From: (Anonymous)
Any success reverse-engineering the protocol to play with it using FOSS?

Date: 2017-04-09 08:49 am (UTC)
ewx: (Default)
From: [personal profile] ewx
Without having looked inside the signed images at all and only having superficially looked at version_info.json, I don't see anything that obviously contributes to freshness checking; if this is indeed missing then it might be possible for an attacker to silently prevent legitimates updates reaching the device or (depending what other checks are done elsewhere) roll firmware back.

Date: 2017-04-09 10:39 am (UTC)
fluffymormegil: @ (Default)
From: [personal profile] fluffymormegil
Minimalism seems entirely in-theme for an IKEA product, really ;)

it's painful to read

Date: 2017-04-09 04:17 pm (UTC)
From: (Anonymous)
at 200 characters per line

wireless connection

Date: 2017-04-09 06:20 pm (UTC)
From: (Anonymous)
is there any analysis available for the wireless connection to the bulbs themselves?

Date: 2017-04-10 07:02 am (UTC)
From: (Anonymous)
Checkout development discussion regarding communicating with the gateway here:

https://github.com/bwssytems/ha-bridge/issues/570

Date: 2017-04-10 09:19 am (UTC)
From: (Anonymous)
When I had a quick look at the android app a while back I also found the insecure CoAP, but there was also a hardcoded api-key for what looked like a aws endpoint(http://uqeh6fio3g.execute-api.us-east-1.amazonaws.com/prod)

Also a really bad default passphrase(key_file.txt) which I think is used for generating some kind of key/cert.... I have not looked at the actual gateway at all yet.

cloudfront

Date: 2017-04-11 01:02 pm (UTC)
From: (Anonymous)
it seems the download is from AWS cloudfront.
it should be zero effort to set it up to redirect to HTTPS .
but since there isnt HSTS or preloaded, it wont help much either.

do you know if it supports IPv6? wouldnt it be internet exposed then?

Date: 2017-04-11 08:08 pm (UTC)
From: (Anonymous)
Actually, using pool.ntp.org is not fine... they're supposed to use a vendor prefix: http://www.pool.ntp.org/en/vendors.html

Wireless

Date: 2017-04-12 04:16 am (UTC)
From: (Anonymous)
It does have wireless, the "T" shaped trace is a dual band Wi-Fi antenna (the longer side is 2.4GHz, the shorter is 5GHz).

Not enabled yet though. Boot messages imply it will support Apple homekit at some point.

Trajectio support Tradfri

Date: 2017-04-17 01:13 pm (UTC)
From: (Anonymous)
Interestingly, a kickstarter I follow have just announced support for Tradfri bulbs, which means all is not lost expanding my Hue collection with the cheaper Tradfri bulbs. https://www.kickstarter.com/projects/1109816630/trajectio-motion-powered-hue-and-sonos-smart-home?ref=4sqjp1

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags