Hackers can remotely control Aga cookers with an SMS

IoT exploit of upmarket oven control could ruin your quinoa risotto

Hackers could remotely control the latest IoT-equipped Aga ovens by just sending a text message, according to security researchers.

The latest Aga ovens feature an IoT device called Total Control, which allows users to access the oven's functions through a mobile or web app. The device connects to the internet via a SIM card and a cellular radio connected to a mobile phone network. This enables Aga ovens to receive and send text messages from anywhere in the world. 

But according to Ken Munro, partner at Pen Test Partners, hackers can quite easily operate the cooker without the owner's knowledge.

In a blog post, he said the mobile app passes messages onto an API, but the app communicates over plain text HTTP. He added that the Android app explicitly disables certificate validation through use of ALLOW_ALL_HOSTNAME_VERIFIER. "Even if it did offer SSL, it would thus be trivial for rogues to intercept and modify traffic," he said. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

He found that the physical module connected to the oven contained a GSM SIM, which costs 6 per month to maintain mobile connectivity.

But the main issue was the web app that allowed plain text over HTTP, which said Munro, didn't protect customer data in transit. The app enumerates the SIM card phone number, mistype a number and an error will appear.

"Put in a valid number (i.e. +44 845 712 52 as suggested by the app when you make an invalid entry) and you'll see that it's already registered. It's not actually a valid phone number, so likely someone has been interfering with this website!" he said.

"So those with nefarious intentions could enumerate a list of all the valid Aga cooker phone numbers. Time consuming, but likely effective."

He added that the app's password policy is only five characters. "This is starting to get pretty irresponsible of Aga; customers will have their cookers compromised," said Munro.

Munro said the app also had no validation of the number and authentication of messages, meaning that hackers could simply send a text to a cooker and turn them off or on at will.

Advertisement - Article continues below

"One could also power up people's Agas when they're not looking, wasting electricity. They draw around 30 Amps in full heat-up mode, so if you could switch enough Agas on at once, one could cause power spikes," said Munro.

He added that the web interface lends itself to "spamming the hell out of people using SMS at Aga's expense".

Munro said that the disclosure process with Aga was a "train wreck".

"We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left."

Advertisement
Advertisement - Article continues below

He urged the firm to ditch the SMS based remote control module and put in a secure Wi-Fi enabled module with mobile app.

He also noted that the SIM module is made by Tekelek and this company has a history in remote monitoring of oil storage tanks, heating systems, process control and medical devices among many things. 

Advertisement - Article continues below

"These appear to be monitored using SMS, so I wonder where else this bizarre unauthenticated text messaging process might lead," said Munro.

IT Pro has approached Aga for comment.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020