ikea-smart-light-system-flaw-lets-attackers-turn-bulbs-on-full-blast

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast

Researchers have demonstrated how an attacker could take over control of light bulbs in the Ikea Trådfri smart lighting system, ultimately turning the bulbs up to full brightness — and users can’t turn them down through the app or the remote control. 

Cybersecurity analysts at Synopsys CyRC found that if a threat actor re-sent the same malformed Zigbee frame (IEEE 802.15.4) over and over again, an attacker could advantage of two vulnerabilities (tracked under CVE-2022-39064 and CVE-2022-39065) in the Ikea Trådfri smart lighting system. 

“The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected,” the Synopsys report explained. 

The result of the Internet of things (IoT) security flaw is a lighting system factory reset where the user is stripped of control over their bulbs both through the Ikea Smart Home application as well as the companion Trådfri remote control, Syopsys added. It starts with a flicker and then leaves the lights on full, permanently.

“To recover from this attack, a user could manually power cycle the gateway,” the team said. “However, an attacker could reproduce the attack at any time.”

Synopsys disclosed the smart lighting vulnerabilities to Ikea in June 2021 and Ikea released a fix in February 2022, the report added. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…