The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection
  • English
  • 日本語

CyRC Vulnerability Advisory: CVE-2022-39064 IKEA TRÅDFRI smart lighting

Kari Hulkko, Tuomo Untinen

Oct 11, 2022 / 1 min read

Table of Contents

Overview

Researchers at the Black Duck Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.

The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.

To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.

CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.

Affected devices

IKEA Trådfri LED1732G11: all versions

Impact

CVSS 3.1 base score: 7.1
CVSS 3.1 vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Remediation

No available version fully fixes this vulnerability. Version V-2.3.091 fixes issues with some malformed frames but not with all known malformed frames.

Discovery credit

This vulnerability was discovered by CyRC researchers Kari Hulkko and Tuomo Untinen using the Defensics® fuzz testing tool.

Timeline

  • June 17, 2021: Initial disclosure to Ikea
  • October 29, 2021: Ikea confirms a fix will be produced for the vulnerability
  • June 16, 2022: Ikea releases a partial fix for the vulnerability
  • October 5, 2022: Black Duck publishes advisory

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Black Duck takes flight

Black Duck takes flight

Jason Schmitt
By Jason Schmitt

Oct 01, 2024 / 2 min read

Tags: Security News & Trends
A new identity for the Synopsys Software Integrity Group

A new identity for the Synopsys Software Integrity Group

Jason Schmitt
By Jason Schmitt

Aug 12, 2024 / 2 min read

Tags: Security News & Trends
CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

Mohammed Alshehri
By Mohammed Alshehri

Jun 04, 2024 / 1 min read

Tags: Security News & Trends, CyRC

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security
©2024 Black Duck Software, Inc. All Rights Reserved