Researchers identified security vulnerabilities in the Traeger Grill D2 Wi-Fi Controller, a device enabling remote grill control via a mobile app. The most critical issue (insufficient authorization controls) allows attackers to potentially manipulate grill settings or shut it down entirely.
Another vulnerability exposes sensitive information during grill registration. While these can be exploited remotely, attackers would need the grill’s unique identifier.
The device’s firmware is unencrypted and debug ports are exposed, though these are considered informational findings. Traeger has addressed the critical vulnerability through a firmware update.
They addressed the Insufficient Authorization Controls vulnerability in their grills by releasing a firmware update that automatically installs on internet-connected devices, which fixes the issue where unauthorized users could register other users’ grills and potentially manipulate settings.
Traeger disabled the GraphQL operation linked to a separate Sensitive Information Disclosure finding, and customers do not need to take any manual actions to benefit from these security improvements.
A vulnerability has been discovered in Traeger Grills’ API for registering grills, where the API lacked proper authorization checks, allowing anyone to register another user’s grill if they obtained the grill’s unique 48-bit identifier.
Attackers might use it to take remote control of another person’s grill, which could allow them to tamper with cooking cycles by changing grill temperatures.
A vulnerability that allows unauthorized actors to remotely access and control grill functions stems from insufficient authorization controls, enabling an attacker with a grill’s 48-bit identifier to gain unauthorized access.
This identifier can be obtained by capturing pairing traffic or scanning a QR code on the grill. Researchers demonstrated this vulnerability by retrieving a pairing token from a Traeger API and using it to register a grill to AWS IoT, granting unauthorized control over the grill.
Bishop Fox staff exploited a vulnerability in Traeger grills to remotely control grill functions by registering a grill to AWS IoT by sending a self-generated certificate signing request instead of using the one generated by the grill.
This allowed them to issue commands through the mobile app API and successfully shut down the grill and change the temperature during a cooking session, demonstrating the potential for unauthorized control over grill operations.
A security vulnerability in the Traeger Grill D2 Wi-Fi Controller’s GraphQL API allowed remote attackers to disclose sensitive information.
By sending a POST request with a hardcoded API key and a JWT obtained through mobile app registration, attackers could call the ListGrills operation to retrieve a list of grills, including friendly names, model numbers, and user IDs.
This information disclosure, however, did not include critical details like the 48-bit grill identifier required for pairing with the mobile application. Traeger has since disabled the ListGrills operation to address this vulnerability.