Another IOT fail - Oven with a sim card controlled by text messages

[wvjohn]

all you need is the oven's phone #.

Must be nice to be able to pay for monthly cell service for your oven...

https://www.theregister.co.uk/2017/04/1 ... nsecurity/

Half-baked security: Hackers can hijack your smart Aga oven 'with a text message'
This IoT goose is cooked

reddit
Twitter
Facebook
linkedin
13 Apr 2017 at 00:53, John Leyden
Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.

All you need is the phone number of the appliance, apparently.

The vulnerable iTotal Control models of the upmarket slow-cookers contain a SIM card and radio tech that connects to cellphone networks. This allows the Brit-built roasters to receive texted commands: these messages can be sent directly to appliances from phones, or via an app or Aga's website, from anywhere in the world.

This means you can order your fancy baking oven to get it heating up well before you leave from work, for instance. According to UK IT security consultants Pen Test Partners (PTP), this feature can be hijacked by villains to meddle with the equipment without the owners' permission.

The iTotal Control ovens pick up messages using a Tekelek-branded comms module and a GSM SIM card from UK cellular network EE – which costs £6 ($7.50) a month to keep active. Controlling an Aga by text is a strange design choice because many of the hefty ovens are out in the sticks without decent cellular reception. The design was implemented by an Irish outfit called Action Point, it is understood.

Rather than using an SMS-based remote-control module, Aga should have used a secure Wi-Fi-enabled module with mobile app, according to PTP, which criticized the manufacturer's "bizarre unauthenticated text messaging process."

"Aga's choice of mobile comms costs customers more than £70 extra per year and doesn't help customers in poor mobile reception areas," PTP's Ken Munro noted in an advisory shared with The Register earlier this week. "A Wi-Fi module done right, with a conventional mobile app and API, is unlikely to have cost them much more to develop."

To control someone's Aga, all you need is the phone number associated with the appliance's SIM card, we're told. The control system makes no attempt to authenticate whoever sent the command texts. This shortcoming clears the way for all sorts of mischief: these electric powered machines can draw up to 30 amps, so you could run up a small chunk of change on a victim's power bill as well as wasting energy while they are away – or ruining dinner by switching the thing off.

Aga's "Register my cooker" webpage generates a different error message depending on whether or not if you enter a number that's previously recognized as one assigned to an iTotal Control cooker. You can exploit this and a similar shortcoming that enumerates owners by their email addresses to, over time by brute-force, build up a list of known Aga cellphone numbers. With these digits, you can start taking over strangers' ovens from the other side of the world.

"All you have to do is simply send a text message to the Aga. No authentication. Turn other people's Agas off," Munro told us. "We didn't, but it would be trivial for less-ethical culinary threat actors to do so."

The format of the command messages is simple, it seems: a string followed by a sequence number and then the order, eg:

WebtextPass,35257,Baking Oven On
The official mobile app and Aga's website use just unencrypted HTTP, with no option for HTTPS, which leaves customer information open to eavesdropping on the 'net. For what it's worth, the app talks to the website's backend via an API, which sends the text messages to registered ovens.

Headaches
PTP had all sorts of problems in getting in touch with Aga to report the design flaws, prior to publishing its findings on Thursday. The oven maker's representatives initially told PTP that "we've had no reports of customers having their Agas hacked" – a response that misses the point about what may be possible rather than what's been discovered and flagged up as a risk.

In response to queries from El Reg, Aga's PR folks offered a statement from the oven maker suggesting that it was confident its partners had the issue in hand:

Aga Rangemaster operates its Aga TC phone app via a third-party service provider. Security and account registration also involves our M2M provider. We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.

PTP told Aga it ought to take down the www.Agatc.co.uk website and fix the problems it had identified. El Reg sought to clarify through a followup message whether or not Aga was going to take this advice, but we're yet to get a substantive response.

Aga owners should note: this issue only affects you if you have the latest Total Control cooker and bought the remote control option.

The issues discovered by PTP in Aga's ovens add to a growing list of kitchen-related IoT security failings – from insecure kettles to pwnable industrial dishwashers commonly used in hospitals and restaurants. Now you can add home ovens to the list. ®

[FlyingPenguin]

Who the HELL needs a "smart" oven. Anyone who buys one is just as much at fault as the manufacturer.

This also comes DANGEROUSLY close to making Kelly Ann Conway sound rational when she talked about "microwaves" spying on us (assuming she meant ovens and not electromagnetic waves).

I am carefully designing the new house to have an isolated network just for IOT crap, and the only IOT crap I allow will be the security camera DVR system and a couple of BluRay players.

[Err]

As much as I hate to say it, smart ovens or smart anything that can heat food should be illegal. At the very least you shouldn't be able to turn an appliance on. These are a fire hazard waiting to happen.

[reno]

http://www.agatc.co.uk/
IOT has more problems !
Our Server is out of service at present. We apologise for any inconvenience and are working to resolve this issue as soon as possible. hehehehe