Smart home devices may make your life easier, but when they are vulnerable to being hacked, they can be quite the headache and dangerous.
Even if you always remember to turn your oven off before you leave the house, it may not stay that way. That is, if you own an Aga oven, a smart appliance that can be controlled by a smartphone app. In the latest security vulnerability to be found in the Internet of Things, security researchers at Pen Test Partners discovered that hackers could gain control of your oven, turning it on and off at will.
Security expert Ken Munro was considering upgrading his own oven range to a connected version from Aga when he discovered the issue. The ovens, which have been around since 2012, apparently can be remotely accessed, and then turned off and on without their owners’ knowledge. “I wanted to know more about its security before spending extra on this option,” Munro told The Telegraph. “We found that even Agas can be hacked. Seriously.”
So what is the issue? Apparently, it all lies in the app. While most connected devices communicate with one another and their companion apps by way of the internet, Aga instead sends text messages directly to the ovens (there is a SIM card embedded in the appliances). That means that when you want to turn your oven on, you literally text it.
While this may sound cool, it is not all that secure, Munro found. In fact, the Telegraph reported that the system “can easily be hijacked, letting hackers send messages to Agas not belonging to them in order to turn them on or off.” Because Aga neither encrypts or verifies the communications between its app and its ovens, it would be relatively easy (Munro did it) to discover sent messages. These messages could then be mimicked by someone with “nefarious intentions.” Given that the “Total Control” Aga ovens will set you back around $12,500, this certainly seems like a problem that absolutely should not be happening.
Munro claims that he attempted to tell Aga of the problem, but that the company has not responded to his requests, and even blocked him on Twitter. “Come on Aga, sort it out. This isn’t acceptable,” he said. But the company told the Telegraph it is taking a closer look at its systems. “We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised,” a company spokesperson said.
So if you’re an Aga owner, be careful. You never know who is controlling your oven.