Any IoT Device Can Be Hacked, Even Grills

As more and more household appliances and devices become Internet-capable, they also become vulnerable to potential exploitation. For people who take grilling seriously, they now face the possibility of a ruined cookout — not because they picked the wrong cut of meat or didn’t pay close enough attention to maintaining the ideal temperature, but because their grill was hacked.

Bishop Fox’s Nick Cerne uncovered multiple vulnerabilities in certain types of Traeger grills, a widely recognized brand for grilling and smoking. The affected ones come with the Traeger Grill D2 Wi-Fi Controller, an embedded device that allows the grill to be controlled via a mobile app. The vulnerabilities could allow a remote attacker to issue commands to the grill such as obtaining details about the grill, including its serial number, or to shut it down altogether.

Setting aside the question of why any grill needs a mobile app, this kind of interference is not something most people expect when grilling. Take the first vulnerability, with a severity score of 7.1 (high), which is an insufficient authorization control issue in the API responsible for registering the grill. Bishop Fox’s research team was able to remotely shut down the grill (belonging to an employee not on the research team) and also to increase the temperature. In this case, the researchers changed the temperature from 165 degrees Fahrenheit to 500 degrees Fahrenheit.

“Instead of being smoked into a delicious meal, the tofu was reduced to a blackened, inedible crisp,” the Bishop Fox team wrote in a research note. “The lack of authorization controls could be used to antagonize Traeger grill owners by setting the temperature to the maximum of 500 degrees Fahrenheit for the remainder of a cooking cycle, ruining food that was being cooked unattended.”

While the researchers were able to wake up the grill from its standby mode, manipulate the temperature, and shut it down, they were unable to identify a way to ignite the grill remotely. But the outcome of this research highlights something that is critical to ensuring the security of Internet of Things: the ability to fix the issue.

In this case, Traeger has automatic firmware updates for its grills. This means that all Traeger grills affected by the insufficient authorization controls vulnerability and connected to the Internet have already been updated, without needing the grill owner to take any action. The challenge with Internet of Things always has been what to do when vulnerabilities are found — users are not going to download updates and then figure out how to load them into devices like refrigerators, cameras, and, in this case, grills. The fact that Traeger handles the task so that grill owners don’t have to is critical. More manufacturers have to develop update mechanisms to make it safe for users to use so many of these Internet-capable systems.

One thing to note, however, is that any potential attacker would first need the target grill’s unique 48-bit identifier. This limits the pool of attackers to one near at hand —close enough to capture network traffic while the grill is being paired with the app, or close enough to scan the QR code on a sticker located on the grill. This highlights the second thing about potential attacks against the Internet of Things: keeping an eye on what’s happening to your devices, securing the network from guests, and keeping physical control of the devices help thwart exploitation attempts.

“Bishop Fox also recommends using the physical power switch to turn off grills when not in use.” That seems like a good piece of advice all around.