Make your neighbor think their house is haunted by blinking their Ikea smart bulbs

A couple of vulnerabilities in Ikea smart lighting systems can be exploited to make lights annoyingly flicker for hours.

While the pair of bugs won't top the list of security flaws Beijing-backed spies hope to exploit to steal government secrets or wreak havoc on high-value targets, the vulnerabilities could provide some mildly disruptive entertainment for, say, an annoying next-door neighbor looking for some spooky-month hi-jinx.

Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, led a team that discovered the vulnerabilities by fuzzing Ikea's Tradfri bulbs and their gateway via Zigbee Light Link, the wireless protocol the devices use to communicate and receive commands.

In a couple write-ups about the bugs, the researchers described how CVE-2022-39064, the vulnerability in the Tradfri smart bulbs, could be exploited by sending a single malformed Zigbee frame over the air that makes the light blink. Resending the frame multiple times forces the bulb to perform a factory reset, which erases its configuration and other information, such as brightness level. 

"After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the Ikea Home Smart app or the Tradfri remote control," the team noted. 

This bug received a CVSS severity score of 7.1 out of 10, and it affects all versions of the lightbulb. There's also no full fix available from Ikea, and because the malformed Zigbee frame is an unauthenticated broadcast message, all vulnerable devices within radio range are affected.

"To recover from this attack, a user could add each bulb manually back to the network," according to the alert. "However, an attacker could reproduce the attack at any time."

CVE-2022-39064 is related to a second vulnerability, CVE-2022-39065, that affects the Ikea Tradfri smart lighting gateway, which controls the lights. Similar to the bulb bug, a malformed Zigbee frame renders the gateway unresponsive so that it can't control the connected lights and other devices via the Ikea Home Smart app.

However, the lighting gateway vulnerability, which earned a 6.5 CVSS rating, does have a fix: upgrading the gateway software to version 1.19.26 or later. Synopsys disclosed both bugs to Ikea in June 2021, and four months later the mega retailer confirmed it would fix them. In February this year, it did release a fix for the lighting gateway flaw, and in June it issued a partial fix for the bulb. 

When asked about the vulnerabilities, an Ikea spokesperson told The Register: "We continue our work to improve the safety and functionality of our smart devices."

"It is not currently possible to gain access to sensitive information inside Tradfri Gateway or other Ikea smart devices," the spokesperon continued. "Most importantly, the identified issue is not jeopardizing the safety of our customers. The issue can be replicated in other, already known, ways due to the design of the Zigbee protocol."

• Too busy feasting on meatballs, Windows struggles to update itself in IKEA
• Take a former NSA head hacker, a Raspberry Pi, weird Kiwi radios and what do you get?
• Papa John's sued for 'wiretap' spying on website mouse clicks, keystrokes
• Top of the Pops: US authorities list the 20 hottest vulns that China's hackers love to hit

While the blinking and lost connection with the gateway device are "a nuisance," by themselves they "don't pose any serious risks such as safety concerns or loss of sensitive information," Knudsen admitted, in an email to The Register.

Not just fun and games

But there's a catch. "A deeper analysis of exploitability could reveal a chance for an attacker to take control of a bulb or a gateway, which would pose a more serious risk," he added.

"We haven't performed (and won't perform) this deeper analysis; our interest is improving the software ecosystem by working with vendors to fix security vulnerabilities."

There's also the potential issue that other smart home devices that use the same wireless protocol could be vulnerable, and we're told fuzzing may uncover similar bugs across other product lines. 

Knudsen suggests that manufactures test their devices earlier in the development phase. "Organizations that build such devices should be making security part of every phase of software development, including testing such as static analysis, software composition analysis, fuzzing and more," he said.

This is especially true when, as with Ikea lights, it's relatively cheap and easy to pull off an annoying, albeit not dangerous, cyberattack, he warned. 

"An attacker with low-cost hardware (a laptop and a $25 radio device) can exploit this vulnerability with no prior knowledge of a victim," Knudsen said. "Furthermore, the attack can be launched from a distance, typically 10 meters to 100 meters."

It's also important to remember that flickering lights aren't necessarily an indication of a cyberattack. There's also the possibility that someone trapped in the Upside Down is desperately trying to communicate. ®