Full Report
The post looks at a Meatmeet BBQ Probe device and how it works. The device had two modes: one that runs directly through a mobile application and another that uses a cloud connection via passed WiFi credentials. From using a BLE-Connect script they wrote in Python, they are able to see the UUIDs for each of the GATT characteristics. They grepped through the APK to get a list of files and luckily for them, the symbols were there for each one of the characteristics. So, they created a simple Python script to interact with the device for each one of the characteristics. Neat! The article effectively claims that anybody can connect to the BLE device. In the various modes of BLE, there is no required pairing process; it's just simple to connect. The GATT services were likely usable without authentication at all. With other devices, even without keyboards, you typically have to "opt-in" to the process via a special set of button presses. It's weird that this wasn't the case. Once you can connect to the device, it's effectively game over. The command remove_config could be used against the device to drop the configuration and add your own. The device even has over-the-air updates accessible as well. Naturally, there was no verification on the firmware either. So, it was a complete compromise of the device. They created a Botnet using this for fun. Good read!
Analysis Summary
# Vulnerability: Unauthenticated BLE Takeover and Arbitrary Firmware Upload in Meatmeet BBQ Probe
## CVE Details
- **CVE ID**: Not explicitly stated in the article (Research by Julian B).
- **CVSS Score**: Estimated 9.3 (Critical) - Based on Adjacent Vector/No Auth/Total Integrity/Total Availability.
- **CWE**:
- CWE-306: Missing Authentication for Critical Function
- CWE-367: Message Integrity Check Failure (Missing Firmware Signature Verification)
## Affected Systems
- **Products**: Meatmeet BBQ Probe Base Station
- **Versions**: All versions prior to the research publication.
- **Configurations**: Devices operating in both standalone BLE mode and Wi-Fi/Cloud connected mode.
## Vulnerability Description
The Meatmeet BBQ Probe base station utilizes Bluetooth Low Energy (BLE) for configuration and Over-The-Air (OTA) updates without enforcing security measures. Specific flaws include:
1. **Missing Pairing/Authentication**: The device allows any BLE-capable device in proximity to connect to its GATT services without a pairing process (No PIN or physical "opt-in" button required).
2. **Exposed GATT Characteristics**: Sensitive commands (Buzzer control, Device Shutdown, Configuration Reset) are exposed via UUIDs that are easily discoverable and callable.
3. **Unsigned Firmware Updates**: The `HubOtaManager` functionality does not verify the authenticity or integrity of firmware binaries. An attacker can push arbitrary code to the ESP32 microcontroller via the BLE OTA service.
## Exploitation
- **Status**: PoC available (Authored "Meat-Connect" Python script).
- **Complexity**: Low
- **Attack Vector**: Adjacent (Bluetooth range)
## Impact
- **Confidentiality**: Medium (Access to stored Wi-Fi credentials and account metadata).
- **Integrity**: Very High (Ability to flash malicious firmware and change device identity).
- **Availability**: High (Ability to permanently brick the device or disrupt BBQ operations by remotely powering off the probe).
## Remediation
### Patches
- No specific patch version was cited in the article. Users should check the Meatmeet mobile app for the latest firmware updates.
### Workarounds
- **Physical Isolation**: Keep the device powered off when not in use.
- **Proximity Monitoring**: Use the device in an environment where unauthorized BLE proximity is restricted.
- **Configuration Reset**: If the device enters "Setup Mode" (blinking light) unexpectedly, it may indicate a `remove_config` attack; re-pair immediately to regain ownership.
## Detection
- **Indicators of Compromise**:
- Device unexpectedly reverting to setup mode (factory reset).
- Presence of unknown BLE connections during use.
- Unusual device behavior (unexpected buzzing or power-offs).
- **Detection methods and tools**:
- Use BLE scanners (e.g., nRF Connect or `hcitool`) to monitor for active connections to the Meatmeet UUIDs.
- Monitor local Wi-Fi traffic for unexpected outbound GET/POST requests to unknown C2 (Command & Control) servers.
## References
- [hXXps://www[.]softwaresecured[.]com/post/hacking-the-meatmeet-bbq-probe3]
- [hXXps://github[.]com/dead1nfluence] (Researcher's Toolset)
- [hXXps://www[.]softwaresecured[.]com/subtopic/hardware-security-research]