News, news analysis, and commentary on the latest trends in cybersecurity technology.

Any IoT Device Can Be Hacked, Even Grills

Researchers uncover a way to hack the summer cookout — but firmware updates will stop that grilled meat (or tofu) from turning into an inedible mess.

Tofu getting burned on the grill
Source: Bishop Fox

As more and more household appliances and devices become Internet-capable, they also become vulnerable to potential exploitation. For people who take grilling seriously, they now face the possibility of a ruined cookout — not because they picked the wrong cut of meat or didn’t pay close enough attention to maintaining the ideal temperature, but because their grill was hacked.

Bishop Fox’s Nick Cerne uncovered multiple vulnerabilities in certain types of Traeger grills, a widely recognized brand for grilling and smoking. The affected ones come with the Traeger Grill D2 Wi-Fi Controller, an embedded device that allows the grill to be controlled via a mobile app. The vulnerabilities could allow a remote attacker to issue commands to the grill such as obtaining details about the grill, including its serial number, or to shut it down altogether.

Setting aside the question of why any grill needs a mobile app, this kind of interference is not something most people expect when grilling. Take the first vulnerability, with a severity score of 7.1 (high), which is an insufficient authorization control issue in the API responsible for registering the grill. Bishop Fox’s research team was able to remotely shut down the grill (belonging to an employee not on the research team) and also to increase the temperature. In this case, the researchers changed the temperature from 165 degrees Fahrenheit to 500 degrees Fahrenheit.

“Instead of being smoked into a delicious meal, the tofu was reduced to a blackened, inedible crisp,” the Bishop Fox team wrote in a research note. “The lack of authorization controls could be used to antagonize Traeger grill owners by setting the temperature to the maximum of 500 degrees Fahrenheit for the remainder of a cooking cycle, ruining food that was being cooked unattended.”

While the researchers were able to wake up the grill from its standby mode, manipulate the temperature, and shut it down, they were unable to identify a way to ignite the grill remotely. But the outcome of this research highlights something that is critical to ensuring the security of Internet of Things: the ability to fix the issue.

In this case, Traeger has automatic firmware updates for its grills. This means that all Traeger grills affected by the insufficient authorization controls vulnerability and connected to the Internet have already been updated, without needing the grill owner to take any action. The challenge with Internet of Things always has been what to do when vulnerabilities are found — users are not going to download updates and then figure out how to load them into devices like refrigerators, cameras, and, in this case, grills. The fact that Traeger handles the task so that grill owners don’t have to is critical. More manufacturers have to develop update mechanisms to make it safe for users to use so many of these Internet-capable systems.

One thing to note, however, is that any potential attacker would first need the target grill’s unique 48-bit identifier. This limits the pool of attackers to one near at hand —close enough to capture network traffic while the grill is being paired with the app, or close enough to scan the QR code on a sticker located on the grill. This highlights the second thing about potential attacks against the Internet of Things: keeping an eye on what’s happening to your devices, securing the network from guests, and keeping physical control of the devices help thwart exploitation attempts.

“Bishop Fox also recommends using the physical power switch to turn off grills when not in use.” That seems like a good piece of advice all around.

About the Author

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights