Linked by Thom Holwerda on Sun 9th Apr 2017 11:30 UTC
Privacy, Security, Encryption

Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look it's surprisingly competent. Hardware-wise, the device is pretty minimal - it seems to be based on the Cypress WICED IoT platform, with 100MBit ethernet and a Silicon Labs Zigbee chipset. It's running the Express Logic ThreadX RTOS, has no running services on any TCP ports and appears to listen on two single UDP ports. As IoT devices go, it's pleasingly minimal.

It's always nice to be pleasantly surprised when it comes to non-IT companies and IT security.

Order by: Score:
Wow, no wireless
by timosa on Sun 9th Apr 2017 11:51 UTC
timosa
Member since:
2005-07-06

No wifi, no bluetooth, no cloud services ... that sounds pretty solid. Probably the weakest part of the equation are the smart phones.

Reply Score: 3

v Comment by smashIt
by smashIt on Sun 9th Apr 2017 15:48 UTC
RE: Comment by smashIt
by raboof on Sun 9th Apr 2017 18:21 UTC in reply to "Comment by smashIt"
raboof Member since:
2005-07-24

You quite conveniently left out "The firmware images themselves appear to be signed, but downloading untrusted objects and then parsing them isn't ideal" from that quote... which seems pretty relevant here.

Reply Score: 3

RE[2]: Comment by smashIt
by Delgarde on Sun 9th Apr 2017 20:17 UTC in reply to "RE: Comment by smashIt"
Delgarde Member since:
2008-08-19

Yep. Matthew's review doesn't claim that they're perfect... just that they're a hell of a lot better than most IoT devices he's investigated.

The firmware-download thing is a weakness, but it's one that can be reasonably easily fixed, and which at least requires some skill to exploit. Considering that the usual standard is "open telnet ports and a hardcoded factory password", this is a huge step up...

Reply Score: 5

RE[3]: Comment by smashIt
by Brendan on Mon 10th Apr 2017 05:40 UTC in reply to "RE[2]: Comment by smashIt"
Brendan Member since:
2005-11-16

Hi,

Yep. Matthew's review doesn't claim that they're perfect... just that they're a hell of a lot better than most IoT devices he's investigated.

The firmware-download thing is a weakness, but it's one that can be reasonably easily fixed, and which at least requires some skill to exploit. Considering that the usual standard is "open telnet ports and a hardcoded factory password", this is a huge step up...


Yes.

Also note that the amount of security needed varies depending on what you're trying to protect (e.g. the soggy tuna sandwich I'm planning to have for lunch doesn't necessarily need the same amount of security as the US President's bank account).

In this case, they're just lights. The worst that can happen (if there's no security at all) is some inconvenience, or maybe thieves installing spyware as a way to determine "best time for break-and-enter burglary" instead of doing the surveillance another way.

- Brendan

Reply Score: 2

RE[4]: Comment by smashIt
by Ford Prefect on Mon 10th Apr 2017 11:51 UTC in reply to "RE[3]: Comment by smashIt"
Ford Prefect Member since:
2006-01-16

A wrong assumption, and a dangerous one.

IoT devices recently made the news by playing a major role in a DDoS attack.

Another common problem is elevated trust, i.e. the possibility to spy on other devices in the same network. Think about SMB shares that are "safe" because they cannot be accessed from outside.

And before you even think of it, the code on device uses a vulnerability in the App that ought to control it. Because why would we need to check the answers from our own lightbulb.

https://www.youtube.com/watch?v=dMjQ3hA9mEA

Reply Score: 3

RE[5]: Comment by smashIt
by ahferroin7 on Mon 10th Apr 2017 12:55 UTC in reply to "RE[4]: Comment by smashIt"
ahferroin7 Member since:
2015-10-30

Even aside from those possibilities, there are a lot more directly costly and/or dangerous possibilities. Using the example of a toaster oven, depending on how it's made, it's possible that malware there could cause it to start a fire, or at least destroy hte hardware (or run it all the time to waste your money).

Reply Score: 2

RE[6]: Comment by smashIt
by Lennie on Fri 14th Apr 2017 19:23 UTC in reply to "RE[5]: Comment by smashIt"
Lennie Member since:
2007-09-22

I do know a lot of printers (hopefully all of them) have hardware protection for overheating.

Reply Score: 2

need switches not bulbs
by tkeith on Mon 10th Apr 2017 12:23 UTC
tkeith
Member since:
2010-09-01

I would really like to make my lighting "smart", but the lightbulb seems like a terrible place to do that. Most of my house has fixtures, not lamps, and most fixtures have more that one bulb. Plus I do not want to use my phone to turn on lights all the time, I still want access on the wall, for me and other family members.

What we need are "smart" wall switches with the ability to still use without a smartphone. The whole industry seems backwards to me, I can't be the only one.

Reply Score: 2

RE: need switches not bulbs
by ahferroin7 on Mon 10th Apr 2017 12:58 UTC in reply to "need switches not bulbs"
ahferroin7 Member since:
2015-10-30

It depends on what it is.

If it's something like a Hue bulb with an RGB LED, then you absolutely need the controls in the bulb, because you would need to rewire the rest of the house otherwise.

For cases where there's a remote controlled dimmer involved, it will cost you less to do it at the bulb, because of how most dimmers work (this is both in terms of electronics and cost of electricity)

If it's just a switch, then yeah, it should be the wall switch, not the bulb itself.

Reply Score: 2

RE[2]: need switches not bulbs
by tkeith on Tue 11th Apr 2017 13:16 UTC in reply to "RE: need switches not bulbs"
tkeith Member since:
2010-09-01

Most LEDs available now are dimmable with normal dimmers. And RGB is very niche. I think most people would be better served by a wall switch than a light bulb.

Reply Score: 2

Comment by jal_
by jal_ on Mon 10th Apr 2017 12:37 UTC
jal_
Member since:
2006-11-02

Though the device itself seems secure, there seems no word in the article about how the device communicates with the lightbulbs. I don't care about how hackable the device is, if my lightbulbs can be easily hacked!

Reply Score: 2

RE: Comment by jal_
by Lennie on Fri 14th Apr 2017 19:26 UTC in reply to "Comment by jal_"
Lennie Member since:
2007-09-22

From the comments below the article:

"is there any analysis available for the wireless connection to the bulbs themselves?"

"It's Zigbee, which has been pretty well examined over the years."

Reply Score: 2