Sorry Darren - what's the Aussie angle?
So far as I can tell, this is an American hacking team giving a presentation in New Zealand of their exploit of an American-made product mostly used by Americans.
It works with charcoal-fueled kettle-style BBQs, like Webers so is not really going to be in use by that many Australian's over Christmas given we tend to prefer the standard gas-powered grills.
Not that the Weber doesn't get a fire now-and again when the temperature is far too hot to consider turning the oven on but that'd usually be for the bird and so it's not really a the type of thing that this is device is aimed at which is slow-cooking and specifically smoking large, tougher pieces of meat, such as brisket, which is barely even available in Australia*.
I mean, generally Aussie's don't go in for smoking as much as our American cousins whatever the time of year or the cut of meat - it's just a difference of cultural tastes I suppose. Our slow-cooks are more likely to be a lamb shoulder and if that's done in a Weber, we don't traditionally aim for a smoked flavour.
Further, the device itself must be imported as I can't find any Australian stockists and it comes with one of those flimsy US two-prong plugs and so must be run with an adapter. They are also set as F so must be changed manually in several places for C.
Further, as I understand it, the hack relies on the devices being discoverable over the Internet but in Australia, residential ISPs routinely block port 80 so all such devices will need to be running on non-standard ports. This is in contrast to most ISPs in the US that allow port 80.
It's still an interesting article of course and it is right for Darren to be presenting it as he was actually at the conference so no arguments there, just a little perplexed by the choice of by-line: "American hardware hackers have ruined Christmas cooks ups across Australia."
But, back to the device itself, I don't think it's specifically aimed at being accessible from the Internet. Anything is, of course, if you setup your router correctly, but the reports I've read suggest that there are no instructions included with the device to show people how to set their router to forward the port to the device or find their public IP or to put that IP into the phone app.
I guess what I am saying is that this doesn't seem to be specifically designed and marketed as an Internet connected device. From what I can tell, the purpose is to allow you to monitor the temperature from inside using your phone so you don't have to go out and check every so often. Or indeed so you can leave it over night or whatever.
Looking at the history of the device, it seems that the original was simply a temperature control unit - similar to others on the market that work by closing the main air intake for the smoker and instead using an electronically-controlled fan. People requested a wireless-capable unit that could be controlled via a http interface or phone app and the company duly made one.
That said, when they did so, it seems they botched that because there were reports of people having to disable WPA2 in favour of WPA to get the thing to even connect to the wireless network.
So, it seems it's not some rubbish hype device marketed as 'rar rar Internet' but a normal, standalone device that had connectivity added on top later on due to customer demand.
Of course, this highlights one of the core problems with the IoT mentality, namely that devices that perform some function that is not primarily reliant on any connectivity at all (let alone Internet connectivity) are getting Internet connectivity bolted on as a feature. The inevitable consequence is that these add-on bits of circuitry and programming are just bought largely off-the-shelf and never patched.
They aren't hardened in any meaningful way because any customisation that is done for that specific device tends to revolve solely around the UI - pretty buttons and apps and so forth - not security.
Seems to be the case here as the manufacturer isn't in the business of making network-connected devices so they just don't have the expertise to ensure that their device is secure.
* - Closest cut that would be readily available would be the shank but, while that's certainly a tough, muscular cut, it's not really the same thing due the the anatomical structure of the cow and the load-bearing nature of the brisket.
Biting the hand that feeds IT
