CVE-2022-39064 An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink and perform a factory reset.

This attack can be prevented by using only authorized devices to control the lights. An attacker would need to know the specific communication channel used between the bulb and the controlling app in order to send a malicious command. For example, if the IKEA Home Smart app is connected to the TRÅDFRI bulb via Bluetooth, an attacker could send commands to the Bluetooth device and not directly to the TRÅDFRI bulb. TRÅDFRI bulbs are not susceptible to another attack method known as “man-in-the-middle”, which involves intercepting and modifying data before it is sent from device to cloud. This attack method is not possible in the TRÅDFRI case because the bulb is connected directly to the cloud (via Wi-Fi).

How to prevent the CVE-2022-39064 attack?

To prevent the CVE-2022-39064 attack, users should only use TRÅDFRI bulbs with apps that are authorized to control them.
This will reduce the chance of receiving malicious commands from an attacker.
If you're looking for a new smart light for your home, try out TRÅDFRI and enjoy their high-quality lighting!

TRÅDFRI IKEA Home Smart (CVE-2023)

IKEA has confirmed that there is a vulnerability in their product TRÅDFRI Smart Lightbulbs. This attack can be prevented by using only authorized devices to control the lights. An attacker would need to know the specific communication channel used between the bulb and the controlling app in order to send a malicious command. For example, if the IKEA Home Smart app is connected to the TRÅDFRI bulb via Bluetooth, an attacker could send commands to the Bluetooth device and not directly to the TRÅDFRI bulb. TRÅDFRI bulbs are not susceptible to another attack method known as “man-in-the-middle”, which involves intercepting and modifying data before it is sent from device to cloud. This attack method is not possible in the TRÅDFRI case because the bulb is connected directly to the cloud (via Wi-Fi).

Timeline

Published on: 10/14/2022 16:15:00 UTC
Last modified on: 10/18/2022 20:15:00 UTC

References