Security flaws found in connected Traeger grill

  • July 10, 2024
  • Steve Rogerson
Picture from Bishop Fox.

Arizona-based security firm Bishop Fox is cooking up trouble for barbeque equipment maker Traeger after finding security flaws in one of its wifi grill controllers.

The Traeger Grill D2 wifi controller is an embedded device that allows users to connect to and control their Traeger grills remotely with a mobile device. The latest version of the device firmware is 2.02.04, and was released in November 2023.

In a blog post (bishopfox.com/blog/traeger-wifi-controller-advisory) this month, the firm said it found two vulnerabilities and two informational issues – insufficient authorisation controls, sensitive information disclosure, unencrypted firmware and exposed debug ports.

Bishop Fox staff identified one instance of insufficient authorisation controls that gave Bishop Fox staff the ability to control other users’ grills. Specifically, the API responsible for grill registration lacked sufficient authorisation controls to prevent users from registering other users’ existing grills if an attacker obtained the grills’ 48bit identifiers. Consequently, an attacker could leverage this finding to control another user’s grill and carry out sensitive operations such as changing the temperature during a cooking cycle.

Traeger has advised Bishop Fox that updated firmware has been distributed to grills affected by the insufficient authorisation controls vulnerability. Traeger grills install firmware updates automatically, meaning grills connected to the internet should already be updated by the time this disclosure is released. Bishop Fox also recommends using the physical power switch to turn off grills when not in use.

Bishop Fox staff discovered that the GraphQL API called by the mobile application contained a ListGrills operation that disclosed every grill currently registered with Traeger. This also consisted of device friendly names that were defined by the grill owners. Calling the API required an API key (which was hardcoded into the mobile application) as well as an AWS Cognito Json Web Token (JWT) which could be retrieved by registering and authenticating to the mobile application.

In response to Bishop Fox’s vulnerability report, Traeger disabled the ListGrills operation entirely. It is no longer accessible. Traeger has disabled the GraphQL operation discussed in the disclosure finding. No action is necessary for Traeger customers.

IMC IoT Newsdesk has contacted Traeger (www.traeger.com) for comment on this but has yet to receive a reply.