Meatmeet Pro JTAG Enabled Vulnerability Allowing Remote Code Execution

A vulnerability exists in the Meatmeet Pro BBQ Thermometer due to JTAG being enabled on the ESP32 system-on-chip. This oversight allows an attacker with physical access to the device to connect via JTAG and reflash the firmware with malicious code, which is executed when the device is powered on. Consequently, the device becomes non-functional, and the attacker may gain unauthorized access to the victim's Wi-Fi network by connecting to the SSID stored in the device's NVS partition.

Impact

Exploitation of this vulnerability leads to remote code execution on the affected device, which can be used to disrupt its normal functionality. Additionally, it may allow unauthorized access to the victim's Wi-Fi network by reconnecting to a previously known SSID.

Reproduction

To reproduce this vulnerability, disassemble the Meatmeet Pro BBQ Thermometer to access the internal circuit board. Connect a USB-UART adapter to the device over UART and put it into download mode by pulling the IO9 pin low. Once in download mode, use the 'espefuse' tool to check the JTAG status, which will confirm that JTAG is enabled.