Meatmeet Pro Hardcoded Wi-Fi Credentials Vulnerability

A vulnerability exists in the Meatmeet Pro BBQ Thermometer in version 1.0.34.4, where hardcoded Wi-Fi credentials for the vendor's test network are embedded in the firmware. This flaw allows an attacker who extracts the credentials and identifies the physical location of the corresponding Wi-Fi network to gain unauthorized access. Furthermore, if the attacker is in close proximity to the device during its initial setup, they could potentially manipulate the device to connect automatically to an access point they control, by matching the SSID and password to those found in the firmware.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the vendor's Wi-Fi network. Additionally, if the device is forced to connect to an attacker-controlled access point, it could allow for further interception or manipulation of data.

Reproduction

The vulnerability can be reproduced by disassembling the Meatmeet Pro BBQ Thermometer to access the internal circuit board. Once the device is opened, connect to it using probes and a USB-UART adapter over UART. After putting the device into download mode, the firmware can be dumped and analyzed. The hardcoded Wi-Fi credentials can be extracted from the NVS partition of the flash dump using a script that retrieves strings containing the Wi-Fi password.