back to article Make your neighbor think their house is haunted by blinking their Ikea smart bulbs

A couple of vulnerabilities in Ikea smart lighting systems can be exploited to make lights annoyingly flicker for hours. While the pair of bugs won't top the list of security flaws Beijing-backed spies hope to exploit to steal government secrets or wreak havoc on high-value targets, the vulnerabilities could provide some …

  1. b0llchit Silver badge
    Coat

    A more rational explanation

    It's also important to remember that flickering lights aren't necessarily an indication of a cyberattack. There's also the possibility that someone trapped in the Upside Down is desperately trying to communicate.

    Wrong and wrong!

    Flickering lights are definitely desperate AI trying to escape from cyberspace and get into the real world. The AI are probing all pathways and stumble constantly on virtual light switches and tripping them in the process.

    You can see a nice display of this when you up the voltage and look at the blue glow when the lights go off. Upping the voltage draws in the AI in droves and the crowded wires start to glow because the AI are reaching out. Beware not to touch the blue glow if you do not want to get infected by wandering AI.

    1. EVP

      Re: A more rational explanation

      Fortunately for us, clock rate provided for the AI wanting to escape is only 60/50 Hz, which makes it pretty slow and stupid. Or does it not make…?

      1. b0llchit Silver badge
        Alien

        Re: A more rational explanation

        At 50 or 60 Hz it will only take 2..3 years to infect all of humanity with an AI.

        Half will be infected with positive halve AI and the other halve will be infected by negative halve AI. On average, they'll wipe each other out and leave the planet to a fresh start.

        1. EVP
          Coat

          Re: A more rational explanation

          Don't forget the harmonics, the ones who are painted blue...

        2. Anonymous Coward
          Anonymous Coward

          Re: A more rational explanation

          "On average, they'll wipe each other out and leave the planet to a fresh start."

          Probably the best thing for the Planet.

  2. jake Silver badge

    But, but, but ...

    "should be making security part of every phase of software development"

    But they are programmed using Rust, and that's always safe and secure, right?

    Right? right?

    I've been running across this incorrect assumption in wild management ... be afraid, very afraid.

    1. Swarthy

      Re: But, but, but ...

      Just remember the 'S' on IoT stands for Security.

  3. Anonymous Coward
    Anonymous Coward

    Rule 1 : Anything labelled 'Smart'

    is as dumb as my little toe. The latter seems to find legs of furniture all by itself when not wearing shoes at home.

    My so-called Smart TV gets dumber and dumber almost daily as the hideously out-of-date software (which has not been updated for years) loses app support. As for websites that use 2-ph verification? Forget it.

    See... it is dumb.

    Rule 2 : anything labelled as 'Smart' is only workable while the vendor maintains the phone home server associated with it.

    Rule 3 : any paid for subscriptions are only as good as your bank account lets them be,

    If you go about assuming these rules then you won't go far wrong. We are becoming increasingly dependent upon the whims of the companies whose products we buy.

    Very few people look at the 3-5 year TCO.

    For example, you are clearly paying for the blanket TV Ads for Verisure Alarms. £47/month minimum 3 years. Other companies offer similar services without the TV ad levy for half that. You are NOT buying an alarm system, you are renting it because AFAIK, without the mandatory service, it is useless. I wonder how many customers understand that before they buy and commit to spending around £2K over 3 years.

    1. b0llchit Silver badge
      FAIL

      Re: Rule 1 : Anything labelled 'Smart'

      Hm,...

      Rule 1. I am smartdumb.

      Rule 2. My vendor(*) is dead. That is probably why I do not function properly. Support has been terminally terminated.

      Rule 3. My bank account is seeing red all the time. That, with rule 2, makes support non-existent.

      My TCO is a net negative for society. Why does society keep me around? It can't be for selling ads. No information sticks because of rules 1, 2 and 3. Society should recycle me or what?

      (*)The vendor; we used to call it parents

    2. DomDF

      Re: Rule 1 : Anything labelled 'Smart'

      I don't think these are smart bulbs though. You control them via ZigBee with a battery powered remote, or an internet connected box which does the same things as the remote. The bulbs themselves are dumb. The gateway box is the closest thing to a smart device, and even if the vendor pulls the plug you can still control the bulbs over ZigBee.

    3. Anonymous Coward
      Anonymous Coward

      Re: Rule 1 : Anything labelled 'Smart'

      On the subject of TV advertising - I only ever watch using catch-up and find that the amount ITV & Channel 4 want to remove adverts completely is surprisingly low; well worth it in my opinion; they get their cash and I don't get bothered. Now if only I could figure out how to stop iPlayer wanting to show adverts for upcoming programs before it'll actually show me the one I asked for I'd be happy. Having removed adverts from the commercial channels it's more than a bit annoying to be getting them from the BBC who get their money automatically (and a lot more of it as well!).

      1. TRT Silver badge

        Re: Rule 1 : Anything labelled 'Smart'

        BUT, you're still paying for the advertising in the price of the goods and services you buy. It's part of the costing of the manufacturer (say - for goods), or for the retailer's markup.

      2. BenDwire Silver badge

        Re: Rule 1 : Anything labelled 'Smart'

        Now if only I could figure out how to stop iPlayer wanting to show adverts for upcoming programs before it'll actually show me the one I asked for I'd be happy

        May I suggest get_iplayer ?

  4. EVP

    Smart devices for dummies

    "While the pair of bugs won't top the list of security flaws Beijing-backed spies hope to exploit to steal government secrets"

    How about flickering lights to transfer information over an air gap. Flickering might be made undetectable to humans, depending on the device characteristics in question. The threat scenario might only be of academic interest, but shows again how big a security/privacy hazard this 'smart' crap makes.

    I trust that no government agency would instal 'smart' devices in their premises, no?

    1. doublelayer Silver badge

      Re: Smart devices for dummies

      That doesn't work well for two reasons. First, this doesn't let you flicker the light however you want. It's not an instant on/off switch. It lets you mess with the device and cause it to malfunction, but not in a deterministic way that produces clean results. If you wanted to do this, your decoding algorithm would have to filter out a lot of noise and you'd have to limit how often you sent your flicker commands, meaning you'd have a really slow baud rate for any transmission you had and you'd need that transmission to contain a lot of error correction. If the lights are on a motion sensor or people turn them off at the wall when they leave, you'd also need to accommodate for it.

      Second, the way you flicker the light is to send a radio signal from the device controlling it from a close distance. If you're using that to send data, then you're sending out a signal from the machine that contains the sensitive data. To receive the signal, the receiver needs to be able to detect the light. If you can bring a radio transmitter and a receiver with a camera into the location where the sensitive data is, you can do a much better job by simply sending the data with the transmitter and replacing the camera on the receiver with a radio antenna. You wouldn't need to rely on unspecified behavior from a light bulb or to have security notice you've got a camera on you (if you can take in a camera, you might also try taking pictures of the sensitive data). If you can get the equipment where you need it in order to exploit this, you could already have gotten better equipment in there with fewer requirements.

      1. Claptrap314 Silver badge

        Re: Smart devices for dummies

        1) Once you have worked out the tolerance before a factory reset, you have a bound on the number of flickers per minute.

        2) Your transmission device broadcasts in a narrow beam pointed at a particular light. This reduces the amount of power you need, the chance of affecting devices other than the target, and makes it harder to find your transmitter during sweeps.

        3) What important data can possibly be sent at the rate of bits/minute? Counts. Or even just present/not present. Critically important information can be signaled at VERY low hertz. I remember the intro to a game on the Amiga. (Warlords? One of the earliest games with per-character AI.) At one point the army is shown leaving. Two different windows in the castle blink with a bit of a delay. Spycraft was around a LONG time before computers. These guys know how to use low-bandwith channels.

        1. Anonymous Coward
          Anonymous Coward

          Re: Smart devices for dummies

          Many years ago there was an emergency transmitter for IIRC downed pilots. It was HF and the central receiving station had a bandwidth filter of 1Hz. The transmitter was designed to be held in the pilot's armpit to keep the frequency stable.

        2. doublelayer Silver badge

          Re: Smart devices for dummies

          Or alternatively, you only do point 2 and point your transmitter in a narrow beam at your receiver. You have to have a receiver nearby anyway to watch the flicker. That way, nobody can notice the flicker and investigate the problem. Also, I'm presuming that, if you don't flicker too often, the bulb doesn't factory reset, but if it doesn't flush out whatever malformed buffer is created, it could be that you just get a finite number of bits before your system stops working until someone fixes the bulb. A single transmitter won't have that problem and avoids relying on an unreliable bug and an error-prone signal receiver.

    2. Richard Tobin

      Re: Smart devices for dummies

      If you want to transmit information, why use someone else's lights?

      1. jake Silver badge

        Re: Smart devices for dummies

        Because the information being transmitted is on their computer ... and I'm in the hotel room across the street.

        1. doublelayer Silver badge

          Re: Smart devices for dummies

          But in order to get their computer to transmit the data, you need to have installed software (this part could be done remotely) and configured it to be able to transmit to the light bulb. The transmitter means you'll probably have to attach a USB transmitter to their laptop, but obviously that means physical access and you could do more. Even if you managed to put a transmitter somewhere where the laptop could transmit to it without requiring physical access to the laptop, you could have that send a Bluetooth signal across the street, or a different protocol (LoRa, maybe) if you want pure broadcast with no interaction from your end. You'd have throughput measured in kilobytes per second instead of bits per minute. Even if you want only a few bits of data, you could get it in a few milliseconds' burst transmission which means you're less likely to get caught or to break your system before you've retrieved what you want.

      2. TRT Silver badge

        Re: Smart devices for dummies

        THERE ARE FOUR LIGHTS!

  5. This post has been deleted by its author

  6. Howard Sway Silver badge

    Time to brush up on the morse code

    Then you can make your most annoying neighbours houses broadcast messages all night long.

    "House for sale. Only £29.99"

    "All your cats are belong to us"

    "My owner went to IKEA and all they got me were these shitty smart lightbulbs"

  7. Anonymous Coward
    Anonymous Coward

    We don't need no stinkin' Zigbee authentication

    From https://www.synopsys.com/blogs/software-security/cyrc-advisory-ikea-tradfri-smart-lighting/

    "The malformed Zigbee frame is an **unauthenticated** broadcast message,[...]" (emphasis added)

    Sigh...

    1. doublelayer Silver badge

      Re: We don't need no stinkin' Zigbee authentication

      That's not really the bug they've got. The normal messages are authenticated, hence why someone can only cause the bulbs to malfunction. If they didn't bother with authentication, someone could take more direct control. Their real bug is in their parsing of incoming messages. Most unauthenticated messages would be dropped, but a malformed one seemingly crashes something which has affects. They need to fix their receiver system's parser, not their authentication system.

  8. Wally Dug
    WTF?

    Why???

    Yet again, even more evidence - not that El Reg commentards need it - to avoid IoT devices. Yes, we've been getting laughed at for years warning about light bulbs or toasters or fridges taking over your house, but this proves (sadly, to just us) that this is a possibility.

    As other commentards have put it, this isn't smart.

    Our new washing machine can be controlled via an app or via NFC. So, you can sit in your lounge, start the washing machine (erm, how does it get loaded?) and see when it's done (erm, how does it get unloaded?). Or you can stand near your washing machine, program the cycle into your phone and then put your phone to the machine.

    Or do as I do - turn the dial and press the button.

    Smart IoT - penitus rerum non captiosus

    1. Giles C Silver badge

      Re: Why???

      I have one of those, it is a Samsung machine. The only reason I bought this was it was an unused return in the shop and they could deliver it the same week (mine had just had the main drum bearings fail).

      Have I ever used the smart functions or downloaded the app for the machine - nope as you say until they build a self loading / unloading version then I don’t want to go out and be told the machine has finished the cycle as I can’t do a thing about it until I get home again.

    2. Eeep !

      Re: Why???

      Do you stand by the machine at 2am to start it ?

      Or do you mean stand by the machine to program the delayed start time ?

    3. 43300 Silver badge

      Re: Why???

      The real problem is when only the basic functions are available via local controls. In my last flat the landlord had a new electric radiator installed. It was of course "smart" and timed on-off settings could only be set using an "app" (the old radiator had a dial on it).

      So I managed with just turning it on and off at its mains switch and pressing the 'on' button. I detest this "smart" shit and had no intetion of installing their crappy "app".

      Current flat has no such junk - although it does have a "smartmeter", which I've managed to avoid up until now.

    4. Tom66

      Re: Why???

      Zigbee is only 'transiently' IoT - you can build a perfectly functional Zigbee smart home without a single internet connection.

      It's the Tuya Wi-Fi bulbs that ought to be avoided (though I wish I'd known, and communicated this, before friends and family bought many of them for our home.) Said bulbs need a continuous, outbound connection to a server somewhere to work. And that company makes no promises about how long that service will be available, and the bulbs don't work all that well without the connection to the internet (they turn on and off with the power switch, but if you cycle them more than a few times they go into a bloody annoying programming mode where they flash for about 5 minutes.)

    5. mcswell

      Re: Why???

      Our ceiling fan came with a remote, which apparently is radio operated. I say "apparently" because I haven't really analyzed it, but here's the evidence.

      The fan would randomly come on, or turn off. The previous owners of the house had bought a new receiver to put in the fan. I guess because they thought the current one was defective, but had never gotten around to installing it.

      I took the back off of the remote controller, when what to my wondering eyes should appear, but a DIP switch, set to all 0s (or all 1s, I forget). I changed it to a random code, and got into the fan and changed its code to match. Presto--no more randomly turning on or off.

      The houses in our neighborhood were all built about the same time, and probably many of them came with a ceiling fan and a remote. And I bet all those fans and controllers had their DIP switches factory set to all 0s. And here's why I believe it's radio operated: one of our immediate neighbors was turning their fan on or off, and their controller's signal was strong enough that it was received by our fan too. My changing the code in the DIP switch made our fan ignore their controller's signal.

      What does this have to do with IoT? Nothing, exactly, but it shows that even without IoT, remote controls (at least radio ones, maybe not the IR ones) can mess up.

      1. jake Silver badge

        Re: Why???

        In roughly 1985 a friend of mine & I applied a 'scope to a simple garage door opener. After eyeballing the output, we managed to build a Universal garage door opener from parts in my garage. One push of a button would open most garage doors within a couple minutes. It was basically a wardialer, but at the right radio frequency.

  9. John Brown (no body) Silver badge

    Epilepsy?

    "While the blinking and lost connection with the gateway device are "a nuisance," by themselves they "don't pose any serious risks such as safety concerns or loss of sensitive information," Knudsen admitted, in an email to The Register."

    Is really "safe"? Could it be set to flash at a rate that triggers an epileptic fit?

    That might be a out out there, may not even be possible, but was it considered when they claimed "safe"?

    1. Shalghar

      Re: Epilepsy?

      I assume that the bulbs have LEDs built in. Its basically the question how much of the LED circuit is switched how and where. Transistor/FET,thyristor? What about capacitive lor mixed loads if the mains is switched ? How about themperature build up due to continuous switching cycles ?

      Power cycle the stuff fast enough to reduce lifetime or even destroy it. Now switch on to paranoia mode as i am sure that these things are built as cheap as possible. Fire hazard anyone ? Irritated fire alarms ? (flash photography is prohibited in the euro tunnel for a reason).

      Maybe all not likely but if possible, that could be a reason for concern,too.

      So why exactly are such "smart" things not protected against high frequency switching by disruption or user dumbness ?

      1. Tom66

        Re: Epilepsy?

        There's no risk from cycling the bulbs on and off quickly. They're already PWM-dimmed to provide the dim/colour effects, which will be at hundreds of Hz to avoid annoying users too much.

        The design of smart bulbs is usually quite simple. An integrated PSU produces something like a 6V ~ 100V supply for the LED array, and maybe a secondary rail for the microcontroller. A small array of FETs switches the colour channels on and off as required.

        There's usually a power envelope, so for bulbs with cool/warm white and RGB not all channels can be on at once; such an overload would probably just result in the LEDs dying rather than any fire. PCB materials are made of non-combustible UL-approved 94V-0 fibreglass. Overload protection will also be enforced by the power supply design which will fold back on overcurrent - the effect will be to blink the bulb on and off until the microcontroller resets.

    2. Ken Moorhouse Silver badge

      Re: Epilepsy?

      Falling down stairs is another possibility.

      ===

      What about hypnosis? Fllash the lights "you are feeling very sleepy..."

  10. Francis Boyle

    Well that's

    my Halloween project sorted.

  11. Korev Silver badge
    Facepalm

    Similar to the bulb bug, a malformed Zigbee frame renders the gateway unresponsive so that it can't control the connected lights and other devices via the Ikea Home Smart app.

    That doesn't sound too different to how unhacked Ikea Trådfri are to be honest.

    I bought some as an experiment as you can only use the app if you're local to the controller, they didn't need stuff hosted in the Cloud to work and they were cheap.

    The lightbulbs seem to love ignoring their controller and then need to be re-added. I also needed to re-link the app to the controller a few times too.

    They're also "fun" if your network has multiple VLANs, in the end the only way I got them to work was by setting the port to only have a single VLAN on it. I have a vague memory of setting a fixed IP address too.

    1. SImon Hobson Bronze badge

      They're also "fun" if your network has multiple VLANs, in the end the only way I got them to work was by setting the port to only have a single VLAN on it.

      Single VLAN, untagged, should be the default for all end device ports - especially random IoTat you can't trust. Naturally there will be exceptions, but I wouldn't include IoT in that list.

      Trunking multiple VLANs to a device means that you are trusting it to use only the one you tell it to - but it's free to look at traffic on the other VLANs, even while it's working fine on the one you told it to use.

      1. Korev Silver badge

        Ubiquti did me no favours with their switch defaults here!

    2. Anonymous Coward
      Anonymous Coward

      "The lightbulbs seem to love ignoring their controller and then need to be re-added. I also needed to re-link the app to the controller a few times too."

      A sign you're being hacked?

    3. MacroRodent
      Headmaster

      You win the Spelling Bee

      Finally a comment that spells the name of the product correctly. "Trådfri" means "wireless".

      1. Korev Silver badge
        Facepalm

        Re: You win the Spelling Bee

        I had to google to get the correct spelling...

  12. RobThBay

    neighbor ???

    Why are you using the "land of the free" spelling?

    1. David Hicklin Bronze badge

      Re: neighbor ???

      "land of the free"

      It is about time that there was some for of tag/id on these words so that they are spelled according to the language of your browser

      Come on! It! cant! be! that! hard!

      1. TRT Silver badge

        Re: neighbor ???

        A bit like the optional hyphen unicode - a regional 'U'

  13. david 12 Silver badge

    Power Meter Zigbee

    Our power meters were all end of life, and industry wanted to replace them with a meter with a flashing red light that could be read with a scanner.

    The government said "if you're going to replace all the meters, do a proper job and include remote reading".

    The charities said "if you're going to give remote reading to big electricity, give the same for the users, so poor people who will be penalized by peak rates and load shedding will have the same control".

    So the companies included various off-the-shelf-electricity-meter wireless reading capacity. My company included Zigbee.

    And have never released the connection authentication details. We paid (through our electricity rates) for an upgrade that they immediately decided was unsafe for use.

    Now (years later), I can get a substitute technology: a WiFi unit that reads the flashing red light.

    1. Anonymous Coward
      Anonymous Coward

      Re: Power Meter Zigbee

      The problem with the earlier Zigbee standards -- maybe even recent ones -- is that security, such as confidentiality and authentication, was optional. There is some good crypto in Zigbee but it is not required.

  14. Missing Semicolon Silver badge
    Devil

    Evil trick in Ikea

    RasberryPi, Zigbee adaptor. Find a quiet corner of the showroom, near the lighting display, find a spot behind a cupboard (with a socket) to secrete the device.

    Result - no Ikea smart lamp will stay working.

    Maye then they will fix the lamps.

    Death poke for ZX81's for the 21st century.

  15. Richard Tobin

    trapped in the Upside Down

    umop apisdn

  16. TeeCee Gold badge
    Facepalm

    ...no full fix available from Ikea...

    ...can't control the connected lights and other devices via the Ikea Home Smart app....

    I guess they'll just have to go around and plug a memory stick into each bulb....ah....hang on....

  17. Binraider Silver badge

    You could use this to exfiltrate data via Morse code or equivalent without too much trouble. I've seen the same done with a compromised ICS, the fan speed was modulated to send "bits" that could be picked up on any old microphone.

    The data rate is of course atrocious but speed isn't everything!

    1. doublelayer Silver badge

      This has been discussed elsewhere in the comments, but in short, it doesn't work as well. The fan example works because it can be directly controlled from the compromised machine in a deterministic manner. The light bulb is less reliable, so the speed and error rate are even worse than the fan. However, even if you're ignoring that, the only way to control the light bulb is to send out a radio signal, so if you're already doing that, you can just use that signal directly. The fan approach works well in a very secure environment because it doesn't require the attacker to connect extra hardware to the sensitive machine or emit a signal that could be detected.

  18. BenDwire Silver badge
    Facepalm

    Bin fodder

    As a lockdown project I bought a few wi-fi bulbs & sockets and then figured out to locally control them with a Pi and a few RF buttons dotted around the house. Since then, four bulbs from different manufacturers have started randomly flickering and then fell off the network. Not a hacking attempt, as this was months apart, but rubbish hardware - the power supplies can't actually run the bulbs at full output without "something" burning out. It looks like this winter's project will involve getting the scope and variac out in order to figure out how to uprate the offending components.

    Either that or put them in landfill. Isn't modern technology wonderful.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like