The established brands Philips Hue and Osram Lightify just got a new contender for a simple and cheap system: IKEA TRÅDFRI. Our security researchers put the smart light bulbs and the gateway to the test in our IoT-Labs and answered the question: Can cheap hardware from the Swedish furniture giant be secure?
Cloud communication
The IKEA TRÅDFRI eco system does not allow remote controlling at the time of testing. But this feature may be delivered later by a firmware update. The gateway checks for firmware updates at every start up and in periodic intervals. It requests an unsecured JSON file which contains a list of all available updates for all devices of the TRÅDFRI system.
Delivering the file unencrypted over http opens the possibility of modifying the file’s content and send it to the gateway. However, there is a secure https endpoint available for this URL, so we hope that IKEA might upgrade to a secure request on a later firmware version. The file names of the available firmware binaries suggest that they are signed. However, we didn’t verify this as part of this quick check. The files itself appear to be not encrypted though.
At this moment, eleven different firmware updates are offered for the different devices such as bulbs and remote control as well as for the gateway itself.
Local communication
IKEA provides an Android and iOS app to control the lightning system. To pair the app with the gateway the user needs to scan the QR code at the bottom of the gateway. The code contains the “Serial Number” (the MAC address) and “Security Code” of the device. The “Security Code” is used to establish a secure connection between the gateway and the smartphone. The communication relies on UDP and uses DTLS (SSL for UDP) for encryption. The communication is among other things protected against replay attacks by the use of DTLS. The pre-shared key used for the handshake mechanism is the “Security Code” at the bottom of the device.
Further research showed, that the IKEA TRÅDFRI system uses the CoAP (Contrained Application Protocol), which provides a REST-like interface (like a traditional API). There are already several open source projects (e.g. on github: https://github.com/stenehall/homebridge-ikea, https://github.com/hardillb/TRADFRI2MQTT) utilizing the CoAP framework to create own clients for controlling the smart home lightning system. All these tools have in common that they need the pre-shared key for communication.
Android App
IKEA really made its job while developing the Android application and implementing the communication protocol with the gateway. First off, many parts of the source code were obfuscated during compile time. Among all other apps tested on this blog this is more the exception rather than the rule. Nonetheless we were able to extract information about cryptographic behaviour, although the time spent on this aspect was increased significantly due to the obfuscation.
You may already be familiar with the procedure on how to register the gateway on your IKEA TRÅDFRI app. The scanned QR code at the bottom of the gateway contains crucial information to securely communicate between the two devices. Therefore, the app stores these information in a secure place on your Android smartphone and additionally encrypts them. The latter is an additional security feature, especially when your phone gets rooted (by the user or malware) and all other apps may be able to read the application’s stored information. The used encryption modes are more or less “state of the art” and utilize the latest android security features (when available). Using a smartphone with at least Android 4.3 (89,6% of all active phones in April 2017, https://developer.android.com/about/dashboards/index.html) grants the highest security level. On these phones the application loads the secure “Key Store” of Android, generates a secure keypair and stores it to the key store. From here on all sensitive information will be saved encrypted with the public key.
When you are using a phone that runs an older version than Android 4.3 (which is fairly outdated and a massive security hole itself) the key store API is not available. IKEA’s fallback solution encrypts the sensitive information with the secure AES algorithm. The key for encryption is retrieved from a file packaged in the apk-file. And this may be one of the few flaws the programmers did: The file is named “key_file.txt” and the chosen key is as simple as “Bar12345Bar12345”. This makes it relatively easy to decrypt the sensitive data in case the smartphone is rooted.
Privacy
Apart from firmware update or NTP queries, no internet traffic was detected in our test. We suppose, that the privacy policy is already prepared for upcoming features like remote gateway access, because it already covers the collection of Personal Data.The privacy policy is tailored to the TRÅDFRI-system and can be easily understood by 16-17-year-olds (Flesch Kincaid Reading Ease). Collected personal data will only be used for making the application work as intended. Unfortunately, it’s not defined which data is collected and which data is classified as personal data. The storage time of captured data is mentioned only imprecisely.
Once a year, information about the stored data can be requested free of charge. Correction, blocking and deletion are possible at any time. A versioning of the privacy policy with the last modification date would be desirable. The contact address for privacy concerns is only a central, international E-Mail address for the manufacturer’s “HomeSmart” segment. Telephone or postal requests are not possible.
The permissions of the Android app are limited to the necessary scope:
- Camera (Recording of QR codes for initial setup of the product)
- Network access (Communication with the gateway)
Conclusion
The aggressive price policy for TRÅDFRI and the general popularity of IKEA and its products may lead to huge increase of installed smart home (lightning) systems around the globe. From the security point of view IKEA built a solid eco system with no real security issues at the technical side. Although you should consider the extensive privacy policy that allows IKEA to gather statistics of your everyday usage. Because recorded data is not clearly specified, you can’t be sure, if it’s not just the usage of your smart light bulbs, but maybe even data from the motion sensor or other upcoming products.
For the moment, we award three out of three possible stars for the IKEA TRÅDFRI gateway and app. When IKEA releases an update that enables remote access, we will retest and finalise our rating.
Previous article 
I just have a quick look at the firmware you posted here. It seems to be not encrypted. Furthermore it seems to use EmberZNet for ZigBee from Silicon Labs and thus use EM35X as a SoC with ARM Cortex M3 and ZigBee. But with a short look at the specs it was unlikely that this is the gateway itself. After some sort search I found a pastebin from “Apr 8th, 2017” with a list of URLs and one of them contains “tradfri_gateway”.
Another short look into this file I could find certificates and even a copyright text. It seems that this file is not encrypted either.
Thank you very much for your comment! We updated the post a bit, to clarify that the files may be signed but don’t appear to be encrypted. We also added a list of currently available firmware updates. The URLs can be extracted from the version_info.json file.
Pingback: Hue! Let there be light! – AV-TEST Internet of Things Security Testing Blog