ESP32 UART Download Mode Vulnerability in Meatmeet Pro BBQ Thermometer

A vulnerability exists in the Meatmeet Pro BBQ Thermometer, specifically in version 1.0.34.4, due to the ESP32 chip's UART download mode being enabled. This allows an adversary with physical access to the device to dump the flash memory and extract sensitive information, such as Wi-Fi network details from the NVS partition. Furthermore, the vulnerability enables the adversary to reflash the device with custom firmware that could include malicious modifications.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the victim's Wi-Fi network and the execution of malicious code on the Meatmeet device.

Reproduction

The vulnerability can be reproduced by disassembling the Meatmeet Pro BBQ Thermometer to access the internal circuit board. Once the device is disassembled, a USB-UART adapter can be used to connect to the device over UART. After putting the device into download mode, the UART log will indicate that the device is ready to accept commands. At this point, the flash memory can be dumped using a tool like 'esptool', and the extracted data can be analyzed for sensitive information such as Wi-Fi credentials.