A quick look at the Ikea Trådfri lighting platform

Apr. 8th, 2017 04:48 pm
[personal profile] mjg59
Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it's surprisingly competent. Hardware-wise, the device is pretty minimal - it seems to be based on the Cypress[1] WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It's running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it's pleasingly minimal.

That single port seems to be a COAP server running with DTLS and a pre-shared key that's printed on the bottom of the device. When you start the app for the first time it prompts you to scan a QR code that's just a machine-readable version of that key. The Android app has code for using the insecure COAP port rather than the encrypted one, but the device doesn't respond to queries there so it's presumably disabled in release builds. It's also local only, with no cloud support. You can program timers, but they run on the device. The only other service it seems to run is an mdns responder, which responds to the _coap._udp.local query to allow for discovery.

From a security perspective, this is pretty close to ideal. Having no remote APIs means that security is limited to what's exposed locally. The local traffic is all encrypted. You can only authenticate with the device if you have physical access to read the (decently long) key off the bottom. I haven't checked whether the DTLS server is actually well-implemented, but it doesn't seem to respond unless you authenticate first which probably covers off a lot of potential risks. The SoC has wireless support, but it seems to be disabled - there's no antenna on board and no mechanism for configuring it.

However, there's one minor issue. On boot the device grabs the current time from pool.ntp.org (fine) but also hits http://fw.ota.homesmart.ikea.net/feed/version_info.json . That file contains a bunch of links to firmware updates, all of which are also downloaded over http (and not https). The firmware images themselves appear to be signed, but downloading untrusted objects and then parsing them isn't ideal. Realistically, this is only a problem if someone already has enough control over your network to mess with your DNS, and being wired-only makes this pretty unlikely. I'd be surprised if it's ever used as a real avenue of attack.

Overall: as far as design goes, this is one of the most secure IoT-style devices I've looked at. I haven't examined the COAP stack in detail to figure out whether it has any exploitable bugs, but the attack surface is pretty much as minimal as it could be while still retaining any functionality at all. I'm impressed.

[1] Formerly Broadcom
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2017-04-09 02:00 am (UTC)
From: (Anonymous)
Reading up on the product it seems like they want to add 'away from home' features in the future that would probably contact their servers. Would you retest if/when they do?

Date: 2017-04-09 02:07 am (UTC)
From: [personal profile] mjg59
Yup!

COAP

Date: 2017-04-09 02:05 am (UTC)
From: (Anonymous)
There is some more info on COAP and TRÅDFRI here: https://bitsex.net/software/2017/coap-endpoints-on-ikea-tradfri/

Date: 2017-04-09 02:36 am (UTC)
From: (Anonymous)
Any success reverse-engineering the protocol to play with it using FOSS?

Date: 2017-04-09 02:37 am (UTC)
From: [personal profile] mjg59
https://bitsex.net/software/2017/coap-endpoints-on-ikea-tradfri/ covers it - there's existing code that works here.

Date: 2017-04-09 08:49 am (UTC)
ewx: (Default)
From: [personal profile] ewx
Without having looked inside the signed images at all and only having superficially looked at version_info.json, I don't see anything that obviously contributes to freshness checking; if this is indeed missing then it might be possible for an attacker to silently prevent legitimates updates reaching the device or (depending what other checks are done elsewhere) roll firmware back.

Date: 2017-04-09 09:23 am (UTC)
From: [personal profile] mjg59
It's actually mildly worse than that. The hub sends an if-modified-since request and is happy to take a 304, so that's all an attacker would need to send. But it's not clear what it would be meaningfully able to do if an attacker just inserted 404s instead, so I suspect the answer remains "Don't lose control of your DNS"

Date: 2017-04-09 09:39 am (UTC)
ewx: (Default)
From: [personal profile] ewx
Depends what the higher level behavior is like - "everything is fine, no updates required" is distinct from "I have not been able to reach my update server for a year".

Date: 2017-04-10 05:46 pm (UTC)
From: (Anonymous)
Some ISPs spoof DNS lookups for non-existent domains. If the IKEA domain vanishes somehow, the device will happily download an ISP generated HTML page. Luckily, they sign their files.

Date: 2017-04-09 10:39 am (UTC)
fluffymormegil: @ (Default)
From: [personal profile] fluffymormegil
Minimalism seems entirely in-theme for an IKEA product, really ;)

it's painful to read

Date: 2017-04-09 04:17 pm (UTC)
From: (Anonymous)
at 200 characters per line

Re: it's painful to read

Date: 2017-04-11 01:58 pm (UTC)
From: (Anonymous)
Nahhh it's pretty neat and easy

wireless connection

Date: 2017-04-09 06:20 pm (UTC)
From: (Anonymous)
is there any analysis available for the wireless connection to the bulbs themselves?

Re: wireless connection

Date: 2017-04-09 07:21 pm (UTC)
From: [personal profile] mjg59
It's Zigbee, which has been pretty well examined over the years.

Date: 2017-04-10 07:02 am (UTC)
From: (Anonymous)
Checkout development discussion regarding communicating with the gateway here:

https://github.com/bwssytems/ha-bridge/issues/570

Date: 2017-04-10 09:19 am (UTC)
From: (Anonymous)
When I had a quick look at the android app a while back I also found the insecure CoAP, but there was also a hardcoded api-key for what looked like a aws endpoint(http://uqeh6fio3g.execute-api.us-east-1.amazonaws.com/prod)

Also a really bad default passphrase(key_file.txt) which I think is used for generating some kind of key/cert.... I have not looked at the actual gateway at all yet.

cloudfront

Date: 2017-04-11 01:02 pm (UTC)
From: (Anonymous)
it seems the download is from AWS cloudfront.
it should be zero effort to set it up to redirect to HTTPS .
but since there isnt HSTS or preloaded, it wont help much either.

do you know if it supports IPv6? wouldnt it be internet exposed then?

Re: cloudfront

Date: 2017-04-13 11:14 am (UTC)
From: (Anonymous)
The fact that it's http is actually good, one can set up a local http copy, removing the need for internet access at all. (I have no plan/desire to allow IoT devices internet access unless 100% whitelisted/filtered).

Date: 2017-04-11 08:08 pm (UTC)
From: (Anonymous)
Actually, using pool.ntp.org is not fine... they're supposed to use a vendor prefix: http://www.pool.ntp.org/en/vendors.html

ntp.org with no valid SSL

Date: 2017-04-12 10:15 am (UTC)
From: (Anonymous)
"This server could not prove that it is www.pool.ntp.org; its security certificate is from a.ssl.fastly.net. This may be caused by a misconfiguration or an attacker intercepting your connection."

ouch

Re: ntp.org with no valid SSL

Date: 2017-04-29 05:31 pm (UTC)
From: (Anonymous)
fastly is a CDN which sometimes uses SAN to support multiple customers on a single certificate. look at the cert for https://www.pool.ntp.org/, the Subject CN is "CN = a.ssl.fastly.net", and the "Certificate Subject Alt Name" block is full of stuff for many different customers. "Not Critical DNS Name: a.ssl.fastly.net DNS Name: *.a.ssl.fastly.net DNS Name: fast.wistia.com DNS Name: purge.fastly.net DNS Name: mirrors.fastly.net DNS Name: *.parsecdn.com DNS Name: *.fastssl.net DNS Name: voxer.com DNS Name: www.voxer.com DNS Name: *.firebase.com DNS Name: sites.yammer.com DNS Name: sites.staging.yammer.com DNS Name: *.skimlinks.com DNS Name: *.skimresources.com DNS Name: cdn.thinglink.me DNS Name: *.fitbit.com DNS Name: *.hosts.fastly.net DNS Name: control.fastly.net DNS Name: *.wikia-inc.com DNS Name: *.perfectaudience.com DNS Name: *.wikia.com DNS Name: f.cloud.github.com DNS Name: *.digitalscirocco.net DNS Name: *.etsy.com DNS Name: *.etsystatic.com DNS Name: *.addthis.com DNS Name: *.addthiscdn.com DNS Name: fast.wistia.net DNS Name: raw.github.com DNS Name: www.userfox.com DNS Name: *.assets-yammer.com DNS Name: *.staging.assets-yammer.com DNS Name: assets.huggies-cdn.net DNS Name: orbit.shazamid.com DNS Name: about.jstor.org DNS Name: *.global.ssl.fastly.net DNS Name: web.voxer.com DNS Name: pypi.python.org DNS Name: *.12wbt.com DNS Name: www.holderdeord.no DNS Name: secured.indn.infolinks.com DNS Name: play.vidyard.com DNS Name: play-staging.vidyard.com DNS Name: secure.img.wfrcdn.com DNS Name: secure.img.josscdn.com DNS Name: *.gocardless.com DNS Name: widgets.pinterest.com DNS Name: *.7digital.com DNS Name: *.7static.com DNS Name: p.datadoghq.com DNS Name: new.mulberry.com DNS Name: www.safariflow.com DNS Name: cdn.contentful.com DNS Name: tools.fastly.net DNS Name: *.huevosbuenos.com DNS Name: *.goodeggs.com DNS Name: *.fastly.picmonkey.com DNS Name: *.cdn.whipplehill.net DNS Name: *.whipplehill.net DNS Name: cdn.media34.whipplehill.net DNS Name: cdn.media56.whipplehill.net DNS Name: cdn.media78.whipplehill.net DNS Name: cdn.media910.whipplehill.net DNS Name: *.modcloth.com DNS Name: *.disquscdn.com DNS Name: *.jstor.org DNS Name: *.dreamhost.com DNS Name: www.flinto.com DNS Name: *.chartbeat.com DNS Name: *.hipmunk.com DNS Name: content.beaverbrooks.co.uk DNS Name: secure.common.csnstores.com DNS Name: www.joinos.com DNS Name: staging-mobile-collector.newrelic.com DNS Name: *.modcloth.net DNS Name: *.foursquare.com DNS Name: *.shazam.com DNS Name: *.4sqi.net DNS Name: *.metacpan.org DNS Name: *.fastly.com DNS Name: wikia.com DNS Name: fastly.com DNS Name: *.gadventures.com DNS Name: www.gadventures.com.au DNS Name: www.gadventures.co.uk DNS Name: kredo.com DNS Name: cdn-tags.brainient.com DNS Name: my.billspringapp.com DNS Name: rvm.io " It's a bit sloppy, and maybe even unprofessional to leak customer information like that. I'm guessing that fastly is a little imprecise in making sure all edge nodes have the right certificates. $ dig www.pool.ntp.org +short www-lb.ntppool.org. www-lb-fastly.ntppool.org. a.prod.fastly.net. 151.101.52.129 Also, "valid SSL" is vague, especially with additional standards like HSTS, key & cert pinning, and so on. Vanilla TLS 1.2 is pretty simple compared to where this rapidly evolving space is at today.

Re: ntp.org with no valid SSL

Date: 2017-04-29 05:32 pm (UTC)
From: (Anonymous)
sorry, thought i had the "Don't auto-format" box checked.

Wireless

Date: 2017-04-12 04:16 am (UTC)
From: (Anonymous)
It does have wireless, the "T" shaped trace is a dual band Wi-Fi antenna (the longer side is 2.4GHz, the shorter is 5GHz).

Not enabled yet though. Boot messages imply it will support Apple homekit at some point.

Trajectio support Tradfri

Date: 2017-04-17 01:13 pm (UTC)
From: (Anonymous)
Interestingly, a kickstarter I follow have just announced support for Tradfri bulbs, which means all is not lost expanding my Hue collection with the cheaper Tradfri bulbs. https://www.kickstarter.com/projects/1109816630/trajectio-motion-powered-hue-and-sonos-smart-home?ref=4sqjp1
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags