2 min read

Don't let hackers ruin your roast! Security flaws found in AGA cooker app

Graham CLULEY

April 13, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Don't let hackers ruin your roast! Security flaws found in AGA cooker app

Imagine you work in marketing for a company that has been manufacturing upmarket cookers for almost 100 years.

How do you make your product capture people’s attention and attract new customers?

Simple – you rejuvenate your traditional product with state-of-the-art touch control panels and give owners a smartphone app that allows them to control their AGA cooker remotely.

https://www.youtube.com/watch?v=JDmgLwX587I

You’ve probably guessed where we’re heading…

Security researchers at Pen Test Partners discovered it was easy for a malicious hacker to send commands to owners’ AGA cookers, without authorisation.

AGA’s Total Control mobile app makes no attempt to encrypt its communications, send messages over plaintext HTTP – making it trivial for an attacker to intercept and modify commands.

The app sends its commands to a website which – oddly – send an SMS message to control your AGA cooker. Quite why the AGA cooker doesn’t connect to your home Wi-Fi network seems rather odd, but hey ho… clearly whoever developed the service decided requiring customers to spend money on an additional mobile phone contract specifically for their oven made more sense.

What it does, perhaps, tell me however is that whoever developed these remote controlled AGA cookers wasn’t fully entrenched in how modern technology is integrated with the internet these days.

And that feeling is underlined when one examines the AGA Total Control website – delivered again over HTTP rather than HTTPS, opening opportunities for a malicious hacker to steal information in transit.

Pen Test Partners discovered that when you attempt to create an account on the AGA site it asks you for your AGA cooker’s mobile phone number. Fair enough – but if you enter a phone number that has already been registered, it informs you of the fact.

Why is that a problem? Well, it’s now child’s play for a malicious attacker to enumerate a list of all the valid AGA cooker phone numbers. And that means that they could also turn other people’s AGA cookers off by simply sending a text message – potentially ruining your Sunday dinner.

To be fair, it’s not the most serious security hole ever found in a device which has attempted to drag itself into the 21st century by adding high-tech features, but it does show yet again that manufacturers are racing to add bells-and-whistles to their products without taking online safety seriously.

AGA cookers may not be that critical, but imagine if the same weak infrastructure was being used by medical devices, or other control systems…

What’s more, in its blog post, Pen Test Partners share a sorry tale of just how difficult it was to report to AGA details of the vulnerabilities that had been uncovered.

For weeks the researchers attempted via various routes to get a response from AGA, only to have messages and calls unanswered, promises of return calls broken, and even being blocked by AGA’s official Twitter account at one point!

There’s no excuse these days for any firm with an online presence not to have some mechanism for escalating security concerns to the right people inside the company so they can be responded to appropriately and promptly.

Anything less just looks half-baked.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read