Security → Traeger security bugs bad news for grillers with neighborly beef

Snark in titles and article courtesy of and credit to TheRegister : »www.theregister.com/2024 ··· ty_bugs/ -- Never risk it when it comes to brisket – make sure those updates are applied

quote:

---

Keen meatheads better hope they haven't angered any cybersecurity folk before allowing their Traeger grills to update because a new high-severity vulnerability could be used for all kinds of high jinks. With summer in full swing in the northern hemisphere, it means BBQ season is upon us, and with Traeger being one of the most trusted brands in grilling and smoking, there's a good chance that many backyard cookouts could be ruined if crafty crims have their way. Nick Cerne, security consultant at Bishop Fox, discovered a few weaknesses in certain Traeger grills, ones that have the Traeger Grill D2 Wi-Fi Controller installed – an embedded device allowing a grill to be controlled using a mobile app. Successful exploits could allow a remote attacker to execute day-ruining commands such as temperature change controls or shutting down the grill altogether. ... The first vulnerability in question concerns the API responsible for grill registration. Bishop Fox assigned it a severity score of 7.1 (high) and it has no CVE ID. The flaw is classed as an insufficient authorization control issue (CWE-284). This is what allows an attacker to potentially mess with a grillmaster's work. ... A second, less severe vulnerability (4.3 – medium) was also disclosed by Bishop Fox after researchers found a way to remotely force Traeger's GraphQL API to list every grill registered with the manufacturer with a short POST request. The response would include various details about each grill such as its serial number, name, description, and more. It's not quite as sexy as the first one, in truth. As for fixing these bugs, grillmasters needn't worry. Traeger has already upgraded its firmware, which will be applied automatically with no intervention required from owners. ...

---

It's been a fine line between sir loin and charcoal brique. Though with this much gas, the humor ought to go over pretty well.

Roadkill cafe, you kill it, we grill it!

Well done to Traeger! I always wanted to make a joke about BBQ but it always came out burnt. To exploit the vulnerabilities sounds like a grate way to meat people and ketchup.

One day when I was young, I watched my father grill burgers. When they were done, he handed me one and told me it was a bison burger. He left and never came back.

What do you call a row of dolls burning on a grill? Barbie-Q.

Don't throw the grill at my face, or it'll make headlines. Okay, okay, I'll quit while I'm ahead!

Regards

You missed your chance at a couple of firewall jokes.

A BBQ that needs Wifi, electrical power and pellets, no thanks.

To be honest, though, it doesn't need wifi. At all. That, sir, is nothing more than a convenience.

As for electrical power...I would say that 99% of the Big Green Eggs out there, despite not needing pellets or power to fire them up, do require electrical power to drive the mechanism that maintains the heat well.

It's the same thing for the pellet grills.

So did you turn bi?

Anyway, apparently some of Weber's new high-end grills now have similar app-controlled modules. And idiots buy into them. Anyone who goes for a wifi connected grill (beyond maybe temperature monitoring and that's even a stretch) isn't a real griller.

you can't get ANYTHING without wifi anymore. If you want high end features especially, you're saddled with wifi.

I have a pellet smoker. Sure, it uses electricity--to power the pellet mechanism. Great. It also has some sort of wifi module. I have no idea what it does or how it works.

Beyond temperature monitoring, what would such a module offer?

Remote control of vents and possibly rack positions, allowing remote adjustments. Which is the danger described in the article. Hacker can make grill hotter and burn contents to a cinder, or can close vents and shut grill down. I've seen (though never owned) wireless grill and meat thermometers) that had their own transmitter and receiver, and there are wifi versions. Worst case for those would be blocking transmission or sending false temperature data, or if they have enough processing power, making them bots in a DDoS network. But when the system can remotely adjust the grill, you're begging for it.

I have one that's 2 channels and all bluetooth. Works great.

I know, people really want their phones to do everything--display, etc.--and they have homes that support the grill talking to the wifi. I dunno, my grills aren't that close to my house and specifically the router...

Well done.

Bluetooth has poor security (tempered by very short range). Hope you don't have any techie neighbours that want to mess with you...:D

Wifi has longer range than Bluetooth (even with all the interference from neighbour's APs). I've been half tempted to set up some of my dozens of obsolete routers (.g and
.n) just to throw out a bunch of funny and suspicious SSIDs (see funny router names thread...stuff like FBI Surveillance Van, Virus Microchip Scanner Network, etc.). There's a large Mexican population here, so my internal evil genius wants to set up one called "INS ICE patrol van #7". (Naturally, these devices would have no WAN connection, have wifi admin disabled and have insane random encryption passphrases. Even PSK security so nobody could connect.) I have around 8 .ac/wifi 5 routers so realistically anything less is about useless, except for the smallest ones which are decent wifi bridges.

This one took me a minute.

The spring-wound version can get by without electrical assistance, right?

I'll get a wifi grill when it has a self cleaning camera inside it.

And a liability if someone can remotely control your BBQ in the middle of the night or when you are away.

And don't let the dog access it: »www.cnn.com/2024/07/04/u ··· e-digvid ... No one knows it's a dog online remotely.

Yeah, but the dog did it the old fashioned way, from the (local) console.

I have a friend that has problems with their cats changing settings on their portable air conditioners. I've also known people whose cats cranked up the stereo and pissed off neighbours. Remotes suddenly found homes in closed drawers instead of on couch, end table or coffee table. I'm sure pets have ordered pay per view items many times.

Well, pets are hacking remotely online these days. ;P

no pellet grill that I know of remains plugged in at all when it's not in use.

a grill company pushed a firmware update for a bug faster than some dedicated electronics companies.