It is a fact that Internet of Things (IoT) devices are vulnerable to cyber attacks. From smart cars to CCTV system or smart TV to sockets can be taken over by cyber criminals and use for malicious purposes. Now, it’s time to add new models of AGA ovens to the list since they are operated with the help of smartphone application.
Now, Ken Munro, a security researcher at Pen Test Partners, who also happened to be a consumer of one of AGA’s old model cookers was thinking to update his device to the one operated through the app. But he changed his mind when he found out vulnerabilities allowing hackers to turn the oven on/off without the owners’ knowledge with the help of a text message.
In his blog post, Munro said that “I wanted to know more about its security before spending extra on this option. We found that even Agas can be hacked. Seriously.”
According to him, the problem is the way the mobile app communicates with the cooker; even it does not connect to the Internet, an SMS is sent from the Aga’s app to a SIM card embedded in the ovens.
This is how it works:
The user controls the on/off function via the app installed on their phone, and the app sends a text message to the oven turning it on or off. The researcher explained that this process could be easily hijacked, as hackers could send messages to the cooker that does not belong to them since the SMS messages are not authenticated by the cooker, nor is the sim card set up to send the messages validated on registration.
While Munro detailed that the problem is not so much to turn the cooker ON in a dangerous capacity, but the issue is that the company is not taking the security situation seriously enough, as someone with bad intentions could easily find a list of all numbers associated with Aga cookers and control them. He has tried contacting the company numerous times, yet he got no answer but also got blocked by AGA on Twitter.
To @AGA_Official PR agency: "Do you deal with Aga PR?" "Yes" "Can you help me report a security flaw" "Ah, I can't help you with that"
— Ken Munro (@TheKenMunroShow) April 6, 2017
As there is no encryption or a way to verify the communication between the cooker and its app, the researcher detected format between the two devices; these could be copied and be used to control the ovens remotely.
“You probably know it takes hours for an Aga to heat up. Switch it off, annoy the hell out of people,” said Munro. “One could also power up people’s Agas when they’re not looking, wasting electricity. They draw around 30 Amps in full heat-up mode, so if you could switch enough Agas on at once, one could cause power spikes. That’s a bit fanciful though.”
As a researcher, he recommends AGA to replace this technology to one with a secure WI-FI communication. AGA’s replied that a third-party provides their system and that they are looking into the problem. “We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.”
Finally got a call back from @aga_official – now to see if they will take the offending service down…
— Ken Munro (@TheKenMunroShow) April 12, 2017
Pen Test Partners are the same guys who previously found critical vulnerabilities and hacked Samsung Refrigerator, Smart Dildos, Mitsubishi Outlander Hybrid Car, Internet Connected Sex Toys and Record Videos. Therefore, one should listen to their findings and implement security measures as advised by them.