CVE-2022-39064 is an availability vulnerability affecting IKEA TRÅDFRI smart bulbs.
Researchers at the Synopsys Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.
The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.
To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.
CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.
IKEA Trådfri LED1732G11: all versions
CVSS 3.1 base score: 7.1
CVSS 3.1 vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
No available version fully fixes this vulnerability. Version V-2.3.091 fixes issues with some malformed frames but not with all known malformed frames.
This vulnerability was discovered by CyRC researchers Kari Hulkko and Tuomo Untinen using the Defensics® fuzz testing tool.
FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.