Cooking with Gas? Smart AGA Ovens Hijacked by Text Message

There’s a new cyber-criminal class, waiting in the wings: Culinary threat actors.

In certain design-y and class-conscious circles, installing a cast-iron, top-of-the-line AGA oven and range is pretty much a must. The latest models are cooking up IoT extras, too, via a Total Control app, which allows chefs to control their oven temperatures remotely. For instance, if you need to pre-heat the oven before you get home, it seems like a pretty nifty thing to be able to use. Especially for an AGA, which takes an “AGA-nizingly” long time to heat up (see what I did there?).

Alas, it appears as though the idea is, err…half-baked.

Pen Test Partners found that hackers can hijack your beautiful shiny designer oven—with a text message.

PTP has cooked up a whole analysis on the issue, but the upshot is this: The mobile app communicates in plain text via API directly to the oven, while the web app simply sends text messages to the cooker.

That’s it, you can stick a fork in it.

“They hadn’t bothered to protect customer data in transit at all,” PTP noted. “Those with nefarious intentions could enumerate a list of all the valid AGA cooker phone numbers. Time consuming, but likely effective.”

Adding zest to the hacker’s batter here is the fact that AGA has no validation mechanism for the number and authentication of messages, and, the password policy is only five characters.

In other words, it would be easy for hackers to put the heat on—quite literally. Though the worse outcome might be taking it off.

“It takes hours for an AGA to heat up,” PTP said. “Switch it off, annoy the hell out of people.”

The web interface also lends itself to spamming using SMS, at AGA’s expense, PTP added—though the company didn’t exactly seem concerned about serving up helpings of annoyance to their customers.  

“Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up,” PTP said, presumably eager to give the company’s security team a grilling. “No response to any of the messages we left.”

That was over the course of three days, so the proof will be in the pudding in terms of whether the company addresses the issue now that it’s public. Meanwhile, it’s just another IoT tale of woe to throw into the mix.

What’s Hot on Infosecurity Magazine?