Keen hackers better hope they didn’t upset any cybersecurity folks by updating their Traeger grilles, because a new, very serious vulnerability could be used for all sorts of crazy things.
With summer in full swing in the Northern Hemisphere, that means BBQ season is right around the corner. And since Traeger is one of the most trusted brands in grilling and smoking, there’s a good chance that a lot of backyard barbecues are going to be ruined if some crafty criminals have their way.
We need to talk about criminals who want you to eat undercooked onion rings
READ MORE
Nick Cerne, security consultant at Bishop Fox, discovered a few weaknesses in certain Traeger grills equipped with the Traeger Grill D2 Wi-Fi Controller – a built-in device that allows a grill to be controlled using a mobile app.
Successful exploits could allow an attacker to remotely execute commands that could disrupt the day, such as adjusting the temperature or turning off the grill altogether.
Some meat lovers plan their chefs’ time down to the smallest detail to achieve perfect, smoky meat that falls off the bone. Some cooks work for hours, late into the morning, before letting the finished product rest.
Adjusting the temperature while cooking from a low flame to a scorching heat can make the difference between an unforgettable backyard get-together and the worst day of the year for a host or hostess.
The first vulnerability in question concerns the API responsible for grill registration. Bishop Fox has given it a severity score of 7.1 (high) and it has no CVE ID. The flaw is classified as an insufficient authorization check issue (CWE-284). This is what allows an attacker to potentially tamper with the work of a grillmaster.
To begin, a potential attacker would need to know the grill’s unique 48-bit identifier. This could be done, for example, by capturing network traffic while the attacker is trying to pair the grill with their app.
Realistically, you would have to keep an eye on the Traeger owner’s yard to know exactly when this is happening, so the attack would be limited to irritated neighbors in this regard.
The other way to obtain that identification is by scanning the QR code on a sticker located inside the grill’s pellet hopper. With this in mind, the number of potential attackers ranges from a small number of neighbors to anyone who has visited the grillmaster’s home (and has been able to suspiciously sneak around the grill, smartphone in hand, all while dodging questions from bystanders).
Bishop Fox tested the exploit using an employee’s grill that was not accessible to the researchers. To get the ball rolling, they retrieved a pairing token from the Traeger API after making a POST request and registered it with an AWS IoT Cognito identity.
From there, researchers were able to push remote commands to the device from the AWS application. They were able to force the grill to enter the shutdown sequence, which can take 15-25 minutes and is recommended by the manufacturer to prevent grill fires and damage to the equipment.
Photo of a Traeger grill entering a shutdown cycle after researchers discovered a way to control it remotely – Courtesy of Bishop Fox
While this wouldn’t be the most disastrous thing – the owner’s equipment would be safely shut down – it could ruin a lengthy cooking process that the owner has spent hours working on if the temperature drops for too long.
Photo of the block of tofu burned by researchers using a remote control of a Traeger grill – courtesy of Bishop Fox
A smarter trick would be to crank up the temperature and let the food crisp up in the grill. That’s exactly what Bishop Fox did with a block of tofu: he turned the temperature up from the recommended 165 degrees to 500 degrees, which caused the food to burn.
We reached out to Traeger for a statement, but there was no immediate response.
A second, less severe vulnerability (4.3 – medium) was also disclosed by Bishop Fox after researchers found a way to remotely force Traeger’s GraphQL API to list every grill registered with the manufacturer with a short POST request.
The answer would include various details about each grill, such as the serial number, name, description, and more. It’s not as sexy as the first one, honestly.
As for fixing these bugs, grillmasters don’t have to worry. Traeger has already upgraded its firmware, which is applied automatically without any intervention from owners.
The manufacturer has also disabled the ListGrills feature that was at the root of the second vulnerability, so that’s all fixed now too. Just in time for that 4th of July BBQ in the US, or a soggy steak in the damp drizzle of the British election day. ®