Brit-American hacker duo throws pwns on IoT BBQs, grills open admin

Half-baked code a feast for attackers because Thing-builders are hopeless

Kiwicon American hardware hackers have ruined Christmas cooks ups across Australia, revealing gaping and pwnable vulnerabilities in Internet-connected barbecues.

Hardware hackers Matthew Garrett and Paul McMillan revealed how the Internet-of-things CyberQ exposed its remote administration facilities and could be owned over the internet.</

Garrett told the Kiwicon conference in Wellington today the barbecues can be found using Google and pwned by getting users to visit a malicious page.

“It works by port forwarding its server through your router to the Internet, and if you ask Google if there are severs that contain the [CyberQ admin] web page, the answer is yes,” Garrett told the conference without specifying the what appears to be a large number of exposed barbies.

“It is very practical to get someone to visit a webpage and click an innocuous link.

"This allows you to generate a post request to their barbecue controller and destroy their feast.”

Paul McMillan (left) with Matthew Garrett.

Paul McMillan (left) with Matthew Garrett. Photo: Darren Pauli / The Register.

In jest the open source champions crowned their attack 'OMG BBQ'.

It's the epitome of Internet-connected-garbage, Garrett said, a phrase that was the title of his talk which covered horrid and pervasive security flaws in the architecture of Internet-of-things things.

“[Internet-of-things] are almost exclusively terrible, a very bad idea,” Garrett says “The code is mostly bullshit; there is a lot of software and the more software a device contains the more bugs it has.”

He says internet-of-things devices largely run a mix of tiny operating systems and Linux, but not BSD because “no-one runs that". ®

Sponsored: Technical Overview: Exasol Peek Under the Hood




Biting the hand that feeds IT © 1998–2019