Meatmeet Pro BBQ Thermometer Remote Code Execution Vulnerability via Bluetooth Low Energy

A remote code execution vulnerability has been identified in the Meatmeet Pro BBQ Thermometer, specifically in version 1.0.34.4. This vulnerability allows an unauthenticated attacker, within proximity of the device, to perform an unauthorized over-the-air (OTA) firmware upgrade using Bluetooth Low Energy (BLE). The device fails to verify the integrity of the firmware being installed, enabling the attacker to overwrite the existing firmware with malicious code. Consequently, the device executes the uploaded code, leading to a complete loss of functionality and access for the user.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device, with the executed code running in the context of the device's firmware. This results in the user losing all access to the Meatmeet functionality.

Reproduction

The vulnerability can be reproduced by saving a Python script that utilizes the Bleak library to interact with Bluetooth Low Energy devices. After writing custom firmware for an ESP32-C3 chip, the script can be run while in proximity to a Meatmeet Pro BBQ Thermometer. The device will be scanned for and selected, and then the OTA update process can be initiated by sending the custom firmware. Once the update is complete, the device will execute the uploaded code, demonstrating the vulnerability.