As Much As You Might Be Tempted, Don’t Screw Up Today’s BBQ

Keen meatheads better hope they haven’t angered any cybersecurity folk before allowing their Traeger grills to update because a new high-severity vulnerability could be used for all kinds of high jinks.

With summer in full swing in the northern hemisphere, it means BBQ season is upon us, and with Traeger being one of the most trusted brands in grilling and smoking, there’s a good chance that many backyard cookouts could be ruined if crafty crims have their way.

People eating onion rings with other food in a pub setting

We need to talk about criminal adversaries who want you to eat undercooked onion rings

READ MORE

Nick Cerne, security consultant at Bishop Fox, discovered a few weaknesses in certain Traeger grills, ones that have the Traeger Grill D2 Wi-Fi Controller installed – an embedded device allowing a grill to be controlled using a mobile app.

Successful exploits could allow a remote attacker to execute day-ruining commands such as temperature change controls or shutting down the grill altogether.

Some meat enthusiasts will meticulously time their cooks for perfect, smoky, fall-off-the-bone meat, with some cooks spanning hours, deep into the early morning before leaving the final product to rest.

Should the temperature be adjusted mid-cook from a gentle low flame to searing heat, it could be the difference between a backyard gathering for the ages and the worst day of a host’s year.

The first vulnerability in question concerns the API responsible for grill registration. Bishop Fox assigned it a severity score of 7.1 (high) and it has no CVE ID. The flaw is classed as an insufficient authorization control issue (CWE-284). This is what allows an attacker to potentially mess with a grillmaster’s work.

For starters, any would-be attacker would need to know the target grill’s unique 48-bit identifier, which could feasibly be carried out by capturing network traffic while the griller tries to pair the grill with their app.

Realistically, you’d need eyes on the Traeger owner’s garden to know exactly when this is happening, so the attack may only be limited to irked neighbors in this regard.

The other way of obtaining that identifier is by scanning the QR code on a sticker located inside the grill’s pellet hopper. With this in mind, the number of potential attackers extends beyond a small number of neighbors to anyone who’s visited the grillmaster’s home (and been able to suspiciously skulk around the grill, smartphone in hand, all while avoiding any questions from onlookers).

Bishop Fox went tested the exploit using an employee’s grill that wasn’t accessible to the researchers. To get the ball rolling, they retrieved a pairing token from the Traeger API after making a POST request and registered it to an AWS IoT Cognito identity.

From there, researchers were able to push commands to the device remotely from its AWS application. They were able to force the grill into engaging its shutdown sequence, which can last between 15-25 minutes and is recommended by the manufacturer to avoid grill fires and equipment damage.

Photo of a Traeger grill entering its shutdown cycle after researchers discovered a way to control it remotely – courtesy of Bishop Fox

Photo of a Traeger grill entering its shutdown cycle after researchers discovered a way to control it remotely – courtesy of Bishop Fox

While this wouldn’t be the most catastrophic thing to happen – the owner’s equipment would be powered off safely – it could ruin a long cook that the owner has slaved over for hours if the temperature dies for too long.

Photo of the block of tofu burnt by researchers remotely controlling a Traeger grill – courtesy of Bishop Fox

Photo of the block of tofu burnt by researchers remotely controlling a Traeger grill – courtesy of Bishop Fox

A more conniving trick would be to crank up the temperature and burn whatever food is inside the grill to a crisp, which is exactly what Bishop Fox did to a block of tofu, changing the temperature to 500 degrees from the recommended 165 and consequently incinerating it.

We asked Traeger for a statement but it didn’t immediately respond.

A second, less severe vulnerability (4.3 – medium) was also disclosed by Bishop Fox after researchers found a way to remotely force Traeger’s GraphQL API to list every grill registered with the manufacturer with a short POST request.

The response would include various details about each grill such as its serial number, name, description, and more. It’s not quite as sexy as the first one, in truth.

As for fixing these bugs, grillmasters needn’t worry. Traeger has already upgraded its firmware, which will be applied automatically with no intervention required from owners.

The manufacturer also disabled the ListGrills function that underpinned the second vulnerability, so that’s all sorted now too. Just in time for that July 4 barbecue in the US, or a wet steak amid the humid drizzle on UK election day. ®

READ MORE HERE