Hackers Can Target Aga Ovens, Heating Up IoT Security Concerns

dacor wall oven CES

Have hackers ruined your casserole? Aga ovens are vulnerable to hackers who can turn your oven on and off

The issue of security in the modern household in a Internet of Things (IoT) world has been raised after a researcher found that that high-end Aga cookers can be compromised by hackers.

The modern version of these ovens now come with a system (called ‘Total Control’) that allows the user to remotely control their kitchen appliance.

But unfortunately it seems that while Aga may make some good ovens, the company has very little idea on how to properly secure their system.


Half Baked Security

The problem stems from the fact that the system that Aga uses consists of both a radio module and and a GSM SIM connected to the Orange / EE network (at £6 per month). It is controlled either by a web or smartphne app.

According to PenTestPartners, the mobile app communicates over plain text HTTP, and the Android version “explicitly disables certificate validation.”

But digging deeper, it seems that the physical module is controlled by sending text messages to the cooker.

“That’s really quite an odd concept, particularly as many Agas are in remote locations in the country so don’t have great mobile reception,” blogged the researchers.

And they pointed out a number of fundamental problems with Aga’s Web application, as the login and registration page is all carried out over plain HTTP. And the password is only five characters long.

Another problem is that there is no link sent to validate the number or the account.

“All you have to do is simply send a text message to the Aga. We didn’t, but it would be trivial for less ethical culinary threat actors to do so,” the researchers warned. “You probably know it takes hours for an Aga to heat up. Switch it off, annoy the hell out of people.”

And the researchers slammed the disclosure process of Aga, saying they had tried everything possible to communicate the problem to them.

“Come on Aga, sort it out. This isn’t acceptable,” the researchers said. “Get rid of the silly SMS based remote control module and put in a nice secure Wi-Fi enabled module with mobile app.”

IoT Risks

With the increasing connectivity of many households today, security risks associated with smart home products are set to become increasingly common.

In February for example an IBM researcher warned that Internet-connected cars share the security shortcomings of other IoT-connected devices.

The researcher was able to remotely control his car – including remotely unlocking it – years after he had traded it in.

In January two security firms (Intel and BitDefender) revealed products to help safeguard the growing numbers of smart homes.

Quiz: What do you know about cybersecurity in 2016?