Core: Tradfri coap usage will change

Created on 31 Oct 2017  路  16Comments  路  Source: home-assistant/core

Hey Guy's,

I was the creator of one of the first Tradfri python scripts on GitHub, and had close communication with the IKEA Tradfri team. They send me the following email. You maybe need to change the api call to the Tradfri gateway.

Hi,

We at IKEA would like to inform you about a change to our TR脜DFRI Gateway. We are very happy to see your interest in our gateway and have seen that you are using the CoAP interface. We consider the CoAP interface as our internal interface not developed for third party usage and therefore we do not offer any technical support for this usage. However that does not mean that we want to hinder your work in any way.

There are some security improvements in a soon coming update that we would like to inform you about since it will break your implementation. Technically the improvement is that the TR脜DFRI Gateway will start using DTLS Identities which you will need to handle in your application.

Please use the Following string to connect to the TR脜DFRI Gateway and create a new DTLS Identity.

coap-client -m post -u "Client_identity" -k "SECURITY_CODE" -e '{"9090":"IDENTITY"}' "coaps://IP_ADDRESS:5684/15011/9063"

SECURITY_CODE is what is labelled on the Gateway label, IDENTITY is any string that is representing the connection.
You will then get back a PRE_SHARED_KEY that can be use in all traffic after that.

coap-client -m get -u "IDENTITY" -k "PRE_SHARED_KEY" "coaps://IP_ADDRESS:5684/15001"

We also would like to request that the SECURITY_CODE that is printed on the gateway is never stored permanently in your application.

This information is ok to spread online but please remove my email address.

Best regards
IKEA of Sweden Tr氓dfri team

picture hvanderlaan
👍8

Most helpful comment

I'd say kudos to IKEA for reaching out with that email!

picture mbrrg on 31 Oct 2017
👍9

All 16 comments

Is this update already rolled out ? I updated my gw and now its not working anymore. Could this be a reason?

dvd77 picture dvd77 on 31 Oct 2017

Yes, seem to be related. My IKEA app said "a security has been installed".
We should raise an issue in https://github.com/ggravlingen/pytradfri

Edit:
Already in progress.
https://github.com/ggravlingen/pytradfri/issues/90

perosb picture perosb on 31 Oct 2017
👍2

The is and issue already raised
https://github.com/ggravlingen/pytradfri/issues/90

Nicxe picture Nicxe on 31 Oct 2017

I didn鈥檛 update the gateway yet so i would not know. But there is No new iPhone app therefor i think it is not yet fully implemented.

hvanderlaan picture hvanderlaan on 31 Oct 2017

Couldn't a malicious script just register an identity and then be evil? Or is this part of a wider plan.

Just curious :)

csjames picture csjames on 31 Oct 2017

@csjames i think it is because of the Apple HomeKit integration that is pending thuis fall.

I will try to update my personal code with an init function. That will request a psk and place that in de configfile. That will resolve this issue with my code. This could also be a fix for home-assistant.

hvanderlaan picture hvanderlaan on 31 Oct 2017

The iOS app is released tomorrow according to IKEA. The app will generate the code necessary to active HomeKit

Nicxe picture Nicxe on 31 Oct 2017
🎉1 👍1

Seems like this update just hit me, and my Home Assistant cannot longer talk to Tr氓dfri

wictorwilen picture wictorwilen on 31 Oct 2017
👍4

I'd say kudos to IKEA for reaching out with that email!

mbrrg picture mbrrg on 31 Oct 2017
👍9

I've just seen that the update as arrived. Gateway is running version: 1.2.42.
Nice detail, I can seel the Apple HomeKit code

coap-client -m get -u "IDENTITY" -k "PRE SHARED KEY" "coaps://IP_ADDRESS:5684/15011/15012" 2> /dev/null
# Apple HomeKit code looks like: { ... 9083: XXX-XX-XXX, ...}
# XXX-XX-XXX is your HomeKit code
# { ... 9029: 1.2.42, ... } is the version
hvanderlaan picture hvanderlaan on 1 Nov 2017

The brand new pytradfri 4.0.1 should support the new DTLS identity methods.

grischard picture grischard on 1 Nov 2017

Hi

After the command coap-client -m post -u "Client_identity" -k "SECURITY_CODE" -e '{"9090":"IDENTITY"}' "coaps://IP_ADDRESS:5684/15011/9063" e can get another key, but after put it on HomeAssistant I get this error: [coap] Fatal DTLS error: code 20

Then I tried to generate another key with another identity but it gives the same error.

What can I do?

Do I have to wait for a hass update?

BrunoN17 picture BrunoN17 on 2 Nov 2017

@BrunoN17 Yes. See home-assistant/home-assistant#10282.

grischard picture grischard on 2 Nov 2017

@grischard Thanks

BrunoN17 picture BrunoN17 on 2 Nov 2017

When will a new release of Home Assistant including this pull request be available?

dennismadsen picture dennismadsen on 2 Nov 2017

@dennismadsen this weekend if all goes well.

lwis picture lwis on 2 Nov 2017
👍4 🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Elmardus picture Elmardus  路  3Comments
aweb-01 picture aweb-01  路  3Comments
piitaya picture piitaya  路  3Comments
YellowMonster76 picture YellowMonster76  路  3Comments
ofuangka picture ofuangka  路  3Comments