14 DAY TRIAL // Two American security researchers from Oakland, USA, have provided a demonstration of how to hack "smart" barbeques with Internet capabilities, The Register reports from the 9th edition of the Kiwicon security conference in New Zealand.
The product in question is the CyberQ Wifi BBQ Control from BBQ Guru, an American grill and barbeque maker. CyberQ is part of the company’s line of smart IoT (Internet of Things) devices, coming equipped with a Web-based administration panel that lets users control and monitor grills over WiFi connections.
The CyberQ is not a complete barbeque set, but a portable device made up of various components that can be attached to any grill users may have installed at their homes.
According to the two researchers, Matthew "mjg59" Garrett and Paul McMillan, the CyberQ contraption "works by port forwarding its server through your router to the Internet, and if you ask Google if there are severs that contain the [CyberQ admin] web page, the answer is yes."
Attacking barbeques via malicious URLs
The two say that an attacker could craft a malicious URL and trick a CyberQ owner into accessing it via a simple spear phishing campaign. This link can be assembled in such a way to take the already-authenticated owner's privileges and tell the barbeque to alter its behavior.
Grills could be made to overcook meat, which in some cases can catch fire, putting nearby things in danger if the grill is not isolated or watched by its owner.
Of course, this is only an apocalyptic scenario, in most cases grill owners finding themselves without a proper meal to put on the table.
This is just another of those cases where IoT products prove to be, once again, extremely easy to abuse. We've had a slew of such cases only in the last six months, some of them linked to baby monitors, security alarms, electric skateboards, smart cars, medical equipment, fridges, kettles, wind turbines, and even gas detectors.
