Brit-American hacker duo throws pwns on IoT BBQs, grills open admin
Half-baked code a feast for attackers because Thing-builders are hopeless
Kiwicon American hardware hackers have ruined Christmas cooks ups across Australia, revealing gaping and pwnable vulnerabilities in Internet-connected barbecues.
Hardware hackers Matthew Garrett and Paul McMillan revealed how the Internet-of-things CyberQ exposed its remote administration facilities and could be owned over the internet.</
Garrett told the Kiwicon conference in Wellington today the barbecues can be found using Google and pwned by getting users to visit a malicious page.
“It works by port forwarding its server through your router to the Internet, and if you ask Google if there are severs that contain the [CyberQ admin] web page, the answer is yes,” Garrett told the conference without specifying the what appears to be a large number of exposed barbies.
“It is very practical to get someone to visit a webpage and click an innocuous link.
"This allows you to generate a post request to their barbecue controller and destroy their feast.”
In jest the open source champions crowned their attack 'OMG BBQ'.
It's the epitome of Internet-connected-garbage, Garrett said, a phrase that was the title of his talk which covered horrid and pervasive security flaws in the architecture of Internet-of-things things.
“[Internet-of-things] are almost exclusively terrible, a very bad idea,” Garrett says “The code is mostly bullshit; there is a lot of software and the more software a device contains the more bugs it has.”
He says internet-of-things devices largely run a mix of tiny operating systems and Linux, but not BSD because “no-one runs that". ®