Ikea recently launched their TrÃ¥dfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it’s surprisingly competent. Hardware-wise, the device is pretty minimal – it seems to be based on the Cypress WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It’s running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it’s pleasingly minimal.
It’s always nice to be pleasantly surprised when it comes to non-IT companies and IT security.
No wifi, no bluetooth, no cloud services … that sounds pretty solid. Probably the weakest part of the equation are the smart phones.
sure
ever heard of hacked routers, modems, switches?
basing your security on the dns-service is a massive fail
Edited 2017-04-09 15:49 UTC
You quite conveniently left out “The firmware images themselves appear to be signed, but downloading untrusted objects and then parsing them isn’t ideal” from that quote… which seems pretty relevant here.
Yep. Matthew’s review doesn’t claim that they’re perfect… just that they’re a hell of a lot better than most IoT devices he’s investigated.
The firmware-download thing is a weakness, but it’s one that can be reasonably easily fixed, and which at least requires some skill to exploit. Considering that the usual standard is “open telnet ports and a hardcoded factory password”, this is a huge step up…
Hi,
Yes.
Also note that the amount of security needed varies depending on what you’re trying to protect (e.g. the soggy tuna sandwich I’m planning to have for lunch doesn’t necessarily need the same amount of security as the US President’s bank account).
In this case, they’re just lights. The worst that can happen (if there’s no security at all) is some inconvenience, or maybe thieves installing spyware as a way to determine “best time for break-and-enter burglary” instead of doing the surveillance another way.
– Brendan
A wrong assumption, and a dangerous one.
IoT devices recently made the news by playing a major role in a DDoS attack.
Another common problem is elevated trust, i.e. the possibility to spy on other devices in the same network. Think about SMB shares that are “safe” because they cannot be accessed from outside.
And before you even think of it, the code on device uses a vulnerability in the App that ought to control it. Because why would we need to check the answers from our own lightbulb.
https://www.youtube.com/watch?v=dMjQ3hA9mEA
Even aside from those possibilities, there are a lot more directly costly and/or dangerous possibilities. Using the example of a toaster oven, depending on how it’s made, it’s possible that malware there could cause it to start a fire, or at least destroy hte hardware (or run it all the time to waste your money).
I do know a lot of printers (hopefully all of them) have hardware protection for overheating.
I would really like to make my lighting “smart”, but the lightbulb seems like a terrible place to do that. Most of my house has fixtures, not lamps, and most fixtures have more that one bulb. Plus I do not want to use my phone to turn on lights all the time, I still want access on the wall, for me and other family members.
What we need are “smart” wall switches with the ability to still use without a smartphone. The whole industry seems backwards to me, I can’t be the only one.
It depends on what it is.
If it’s something like a Hue bulb with an RGB LED, then you absolutely need the controls in the bulb, because you would need to rewire the rest of the house otherwise.
For cases where there’s a remote controlled dimmer involved, it will cost you less to do it at the bulb, because of how most dimmers work (this is both in terms of electronics and cost of electricity)
If it’s just a switch, then yeah, it should be the wall switch, not the bulb itself.
Most LEDs available now are dimmable with normal dimmers. And RGB is very niche. I think most people would be better served by a wall switch than a light bulb.
Though the device itself seems secure, there seems no word in the article about how the device communicates with the lightbulbs. I don’t care about how hackable the device is, if my lightbulbs can be easily hacked!
From the comments below the article:
“is there any analysis available for the wireless connection to the bulbs themselves?”
“It’s Zigbee, which has been pretty well examined over the years.”