A new report from security experts Pen Test Partners takes issue with some AGA models that come with a built-in SIM card and mobile radio. Each oven has its own mobile phone number, which owners must pay an extra $7.50 or £6 a month for. Due to a lack of security on the Aga web app, attackers can effectively spam the login form to gain a list of eligible phone numbers and send requests to unsuspecting households. As the company doesn't check who is sending the text request, attackers potentially have full control.
To be clear, the exploit isn't going to cause much harm. However, AGA are notoriously power hungry and take a long time to heat up. The likely damage would be an inflated power bill or a ruined dinner party. Pen Test Partners notes that a simple WiFi module and mobile app would do the trick, rather than a system that can be impacted by poor mobile signals and unauthenticated text messages.
AGA initially neglected to address the concerns but has today issued a statement saying that the platform is supported by a separate company and that it's looking into the issue: "We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised."