Luxury AGA ovens aren't safe from hackers
Owners can switch their oven on and off via a text message, but so can an attacker.
In the kitchen, nothing screams "I have money" like an AGA. The expensive British-made cast-iron stoves (or cookers, depending on where you're from) have barely changed in terms of looks much over the last century, but they have got smarter. Thanks to the company's iTotal Control technology, owners of certain models -- costing $10,000 and upwards -- have been able to switch their oven on and off via an app or by sending it a simple text message. It's no doubt helped them remotely prepare dinner, but a security flaw in the system has also left them open to mischievous third parties.
A new report from security experts Pen Test Partners takes issue with some AGA models that come with a built-in SIM card and mobile radio. Each oven has its own mobile phone number, which owners must pay an extra $7.50 or £6 a month for. Due to a lack of security on the Aga web app, attackers can effectively spam the login form to gain a list of eligible phone numbers and send requests to unsuspecting households. As the company doesn't check who is sending the text request, attackers potentially have full control.
To be clear, the exploit isn't going to cause much harm. However, AGA are notoriously power hungry and take a long time to heat up. The likely damage would be an inflated power bill or a ruined dinner party. Pen Test Partners notes that a simple WiFi module and mobile app would do the trick, rather than a system that can be impacted by poor mobile signals and unauthenticated text messages.
AGA initially neglected to address the concerns but has today issued a statement saying that the platform is supported by a separate company and that it's looking into the issue: "We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised."
