If you own an Aga cooker, and you use an app to remotely control it, hackers could be poised to put a dampener on your long weekend by ruining the Easter Sunday roast.
The security frailties in the app could mean a hacker would be able to turn off your oven, potentially ruining your hard work, but not in such a way that could threaten physical safety. Although your personal data could be at risk.
Security weaknesses in the app were discovered by Ken Munro of Pen Test Partners when he was looking to upgrade his own Aga. The app is provided by a third party, and the service is available for the latest Aga models.
The revelations have sparked concern for the makers of the iTotal Control system that Aga have implemented and marketed since 2012.
As reported by the BBC, Mr Munro said: “If you were maliciously motivated, it wouldn’t be very difficult to switch off people’s Aga’s remotely.” Mr Munro detailed the weak areas, he noticed that SMS messages govern the off and on function, and he found that these are not authenticated by the cooker.
The system also channels email addresses by sending them in plain text, this means that there is not form of protection for adversaries that intend to look in and access important personal data.
In addition to this, he found that the SIM card was not configured to validate messages upon registration, leaving another soft area that could be used as an entry point.
This is yet another example of an unassuming, innocent looking appliance in the home that is connected, turning even a classic looking Aga cooker into a breach point for hackers intending to steal from you.
This article is from the CBROnline archive: some formatting and images may not be present.