back to article Half-baked security: Hackers can hijack your smart Aga oven 'with a text message'

Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned. All the hijackers need is the phone numbers of the appliances. The vulnerable iTotal Control models of the upmarket cookers contain a SIM card and radio tech that connects to mobile phone networks. This …

  1. Anonymous Coward
    Flame

    Can you control the oven temperature?

    Or is this one of the leet ovens that doesn't have temp controls?

    1. Richard 12 Silver badge

      Re: Can you control the oven temperature?

      Agas are the worst oven known to man. Incredibly inefficient unless you also need to heat the room all day.

      The temperature is pre-set during installation and cannot be changed.

      On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning.

      Stayed at a place that has a gas one. It went out one day, we didn't realise until it was too late for it to warm up for dinner.

      So we went to the pub.

      1. Colin Bull 1
        Flame

        Incredibly inefficient - not

        We have a circa 1950 Rayburn version of the AGA. It was solid fuel but converted to oil. It heats a > 400 year 3 bed house and provides hot water for less than £500 a year. Not on all day. We once left a roast lamb dinner it it when we went to a beer festival. We were 3 hours late home and the lamb was delicious. If they are used properly can be a great asset.

        1. Tom 7

          Re: Incredibly inefficient - not

          We have a similar age aga that runs on oil and it sits there for maybe half the year heating the house and water. Its never turned off or down over the 'winter' period. I dare say you can get something a bit more efficient but no-where near as nice. And the food that comes out of it is extraordinary and modern 'smart' agas dont come close. It has two ovens and you can put a chicken carcass for stock in the 'cool' oven and take it out three days later and the stock is unbelievable. I have looked into the idea of seeing if it can be converted to rape seed but Aga are so up their own arses these days I'm not going to make their fortune for them.

        2. Kane

          Re: Incredibly inefficient - not

          "We once left a roast lamb dinner it it when we went to a beer festival. We were 3 hours late home and the lamb was delicious."

          Is that because of the beer, or the Aga?

        3. N2

          Re: Incredibly inefficient - not

          Agreed,

          Our Rayburn uses wod & works superbly well, heating water by convection.

          So if the Russians cut off the gas & theres a power cut, it continues to heat the house, water & cook.

        4. bjr

          Re: Incredibly inefficient - not

          I'm confused. Are you saying that in Britain it's common to heat a house with a kitchen stove? In the US we haven't done that since the 19th century, we have proper furnaces that heat the house and kitchen stoves or ovens that are designed to cook dinner, they don't heat the kitchen let alone the house.

          1. John Brown (no body) Silver badge

            Re: Incredibly inefficient - not

            "I'm confused. Are you saying that in Britain it's common to heat a house with a kitchen stove?"

            No, we don't. In some circumstances, they might still do that but they are either years old (there's really nothing in them the break) or are bought by people with a big kitchen and plenty of cash mainly for a bit of that Olde Worlde look. A bit like those of you in the colonies who still like the old fashioned 1950's look refrigerator or other kitchen appliances.

            But wait! You have a whole furnace to heat your house? What is it? A 10 bedroom mansion? Do you employ your own stoker to shovel the coal in?

            Most people in the UK have a fairly small gas powered combi boiler that does heating and "instant" hot water that's about the size of a medium suit case.

            1. Thrudd

              Re: Incredibly inefficient - not

              Radiant heating is the exception and not the norm in the Americas and electric is more common than water for those that do.

              Central forced air is the default here and by mansions you mean three to four bedrooms in a household with weather below freezing for at least 4 months of the year, then yes.

      2. Doctor Syntax Silver badge

        Re: Can you control the oven temperature?

        "So we went to the pub."

        Usually the best solution.

      3. Roland6 Silver badge

        Re: Can you control the oven temperature?

        >On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning.

        Proper Aga's only use solid fuel (okay oil is an acceptable alternative if you've not got a decent supply of coal or tarred wood ie. ancient railway sleepers) - never really saw the point of the electric or gas Aga.

      4. Anonymous Coward
        Anonymous Coward

        Re: Can you control the oven temperature?

        Agas are the worst oven known to man. Incredibly inefficient unless you also need to heat the room all day. The temperature is pre-set during installation and cannot be changed. On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning. Stayed at a place that has a gas one. It went out one day, we didn't realise until it was too late for it to warm up for dinner.

        So we went to the pub.

        Actually the Total Control is the Electric model that you can switch individual ovens on and it doesn't have to be on all day you had a timer you could set. I looked at one for my house before I moved in and decided against it because despite my estate agent saying they raised the value of the house - the space I had to put it in wasn't really large enough. If you live in a large house they're actually quite good because they really do heat the room and reduce the need to have a radiator in the kitchen. I went to a cooking demonstration for AGA and saw how to cook on one despite not actually buying one for myself in the end. You can dry clothes on them, do a wicked toasted sandwich on top (with some silicone paper) and the best cake I've ever cooked was done in an AGA. You can alter the temperature (on an Oil and Gas ones as my mum and sister have them*) but you're supposed to use different ovens and positions within the oven to cook. *They were in the houses when they moved in they didn't have them put in. Also it will carbonise food left in there and I've seen some beautiful examples of bread that looked exactly the same as when it went in to the oven just now carbon black and shiny.

        Still a bit of a shocker to find that someone can turn on your oven whilst you're out if you went for the connected model. I can think of ways to mitigate this even if you did go with the SMS option and not a more secure wifi option. Not even sure this counts as coming under the IOT banner because it's using SMS.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can you control the oven temperature?

      AGA are in a mess. I interviewed there last year and even the short time I was in the office it was clear they were struggling for lack of direction, being beholden to a cabal of long-time employees so set in their ways that any innovation is fought against.

      They also made their receptionist redundant and installed a phone in the 'air lock' entrance to replace her.

      I don't blame them for trying new things. They are going to have to do a lot better though.

      1. fidodogbreath

        Re: Can you control the oven temperature?

        They also made their receptionist redundant and installed a phone in the 'air lock' entrance to replace her.

        If you know the phone number, you can probably open the airlock by SMS.

  2. Anonymous Coward
    Anonymous Coward

    iTotal Control!

    ...rolling on the floor, laughing.

  3. Anonymous Coward
    Anonymous Coward

    the bruised and bloodied optimist in me says "maybe someone will learn from this example" but he is also learning-- slowly

  4. Number6

    I had a WTF? moment reading the headline, which only got worse when I read the article. Why would anyone want to remotely control an Aga? Or isn't it a 'proper' oven, just a designer look-alike?

    1. MyffyW Silver badge
      Coat

      My thought entirely @Number6 - if one is so luddite-minded as to have a 19th century oven, why would one want to embugger it with a late-20th century innovation such as SMS-based remote control?

      The only explanation is we have hit upon a new trope following steam-punk, diesel-punk etc. I'm getting my coat - the one without the lace-up corset.

    2. Warm Braw

      Why would anyone want to remotely control an Aga?

      It's been a bugger getting the staff, ever since the Great War...

    3. phuzz Silver badge

      I assume, so that you can turn the oven on before you get home, so it's warmed up to temperature, ready for the roast duck you're cooking (or whatever one cooks in one's Aga).

      1. Roland6 Silver badge

        >I assume, so that you can turn the oven on before you get home, so it's warmed up to temperature

        With a real Aga, best to turn it on before you leave for work in the morning...

        But then,, just like preserved steam engines, they don't like being hot/cold cycled too often...

      2. Tikimon
        WTF?

        How long is the effing preheat cycle?!?

        How may days' lead time does one need to preheat these things that a remote-start is useful? My not-expensive electric oven heats up in ten minutes. Does anyone really come home and race into the kitchen to immediately throw a fully-prepared dish in the oven? Who really lives by such tight time margins?

        Another product in desperate need of a purpose. I shorely wish people would design things we actually need instead of questionable excuses to bolt on some electronics and internet connection...

      3. Loud Speaker

        whatever one cooks in one's Aga

        Peasants or pheasants - depends on your social class.

    4. Anonymous Coward
      Anonymous Coward

      Agreed.

      When they can program:

      "fetch the peas from the pantry, open the tin, put them in the pan, put the pan on the stove, light it at a medium heat and throw away the old can in the correct bin" into a SMS, I'll be impressed.

  5. Anonymous Coward
    Anonymous Coward

    so much automation

    I can set the washing machine going before leaving work, turn on the cooker, the fridge re-filled itself from Amazon direct and the Rhumba cleaned the floor..... why do i need to go home? i can stay at the coal face for a few more hours earning that state pension that wont be there when i retire.

    I know people do have reasons for iOt stuff but who is so busy that they need to turn the oven on before they get home. I was told as a child NOT to leave the oven/cooker on when no-one was home.

    1. Anonymous Coward
      Anonymous Coward

      Re: so much automation

      And why hasn't this caught the attention of the home insurance industry? Won't they want to know that ovens are running hot in empty houses?

      Also consider someone putting a roast in there and leaving it all day before it cooks. Aging beef is fine, but not at room temperature!

      1. Richard 12 Silver badge

        Re: so much automation

        A "normal" Aga is never off.

        Presumably they realised that might be bad for home users gas or electric bills, and isn't energy-efficient in any sense of the word.

        Horrible things.

    2. Michael H.F. Wilkinson Silver badge

      Re: so much automation

      Call me mad (or luddite), but I actually prefer being home when something is in the oven, just to keep an eye on things (and occasionally baste things for that crispy skin on chicken, and leg of boar glazed with home-made apple treacle is truly great). I could use the timer on my SMEG oven quite nicely, although that does not cope well with sudden changes to plans. Therefore, I much prefer turning it on when I get home. It takes just shy of 10 minutes to get to its highest working temperature (it also has two ovens in which I can control temperature independently), so I really, really do not see the need of remote control. The ten minutes warm-up time are readily filled with laying table, chopping vegetables, relaxing after work with a beer, or even talking to members of the family.

      I have nothing fundamentally against remote control, but to implement it in this terrible way is mindboggling.

      1. Prst. V.Jeltz Silver badge

        Re: so much automation

        I'd have thought the main advantage of this newfanglry is that finally you can do something about the nagging

        "did i leave the oven on?" feeling , and turn it OFF

      2. Loud Speaker

        Re: so much automation

        I actually prefer being home when something is in the oven, just to keep an eye on things

        In the 17th century, when these things were invented, you had servants to do that. These days, we have teleworking, so you can do it yourself.

  6. FozzyBear

    El Reg asked Aga if it was going to take this advice, and we've yet to get a substantive response.

    Sorry El Reg they are currently busy speaking with the fire department after a number of their new, totally cool (or should that be hot), remote controlled ovens spontaneously caught fire

  7. Brian Miller

    Use a clock timer

    The only secure way for this to work is simply to use a clock timer. Set the clock time, and then set the time for when you'd like the Aga to start heating. Done.

    1. allthecoolshortnamesweretaken

      Re: Use a clock timer

      Set it and forget it!

  8. Anonymous Coward
    Anonymous Coward

    AGA do

    AGA dont

    1. PNGuinn
      Coat

      Re: AGA do

      AGA Can't.

      Well, somebody had to.

      1. Commswonk

        Re: AGA do

        @ PNGuinn:

        AGA Can't.

        Well, somebody had to.

        I was going to until I saw that you had beaten me to it.

        But I was going to say "AGA Khan't".

        1. Kubla Cant

          Re: AGA do

          But I was going to say "AGA Khan't"

          Hey! That's my pun!

    2. Anonymous Coward
      Anonymous Coward

      Re: AGA do

      Push pineapple. Write CV.

      ...

      Sorry. Really sorry. But you started it.

  9. Stoneshop
    Flame

    Not even half-baked security

    Let's hope the developers get roasted (but I'm not holding my breath)

    1. T. F. M. Reader

      Re: Not even half-baked security

      s/developers/product managers/ ?

  10. PTW
    FAIL

    True Sloane Range-r

    First thought was why and how do you i-control something that takes a day to get to working temperature? Then I read it's electric, and thought ouch that's going to cost a bit to leave running 24/7 but still Agas don't really have a 'stat as such.*

    Then I see it draws 30A, so basically a very f@#cking heavy, and enormously expensive cast iron shell around an electric oven for the Chelsea Tractor driving mummies "in town" so they can look the part. Hack away, well text away, my friends, text away!

    *To our friends across the water Agas are traditionally solid fuel or oil, they are cast iron, sectional, built in situ and filled with insulation. With a built-in hot water boiler to use some of the excess heat. The idea being they run at a working temperature 24/7

    1. H in The Hague

      Re: True Sloane Range-r

      "Then I see it draws 30A, so basically a very f@#cking heavy,"

      Yup. Though it doesn't draw 30 A continuously. Friends of mine have one in their large old house in Ceredigion, sort of makes sense as it keeps the kitchen (where you spend most of your time) warm in winter. When they bought a house in The Hague they wanted to get an Aga there too - until I did a few calculations on the back of an envelope and pointed out that the standing losses of the Aga would be seven times the power consumption for my whole house. Aga: great when and where it was invented (cold Sweden) but no longer relevant for most of us. Though reasonably nice to cook with once you get used to it.

      1. Tom 7

        Re: True Sloane Range-r

        I think one of the thing people dont seem to realise about the permanently on aga is it is nowhere near as inefficient as people make out. If its properly looked after (the internal insulation needs checking every few years or so) it will just sit quietly in the corner keeping your house warm. Not hot - with an aga you can get by with it several degrees cooler as one its up and running and temperatures are stable you dont have the cold wall heat sinks that you get with a normal on-off heating system so it actually feels warmer than it is. We have ours on nearly half the year over winter and it provides us with heating, hot water and cooking over the coldest part of the year for pretty much the same oil use as our high-efficiency boiler provides hot water and add-lib heating the rest of the year.

        1. Roland6 Silver badge

          Re: True Sloane Range-r

          >Not hot - with an aga you can get by with it several degrees cooler as one its up and running and temperatures are stable you dont have the cold wall heat sinks that you get with a normal on-off heating system so it actually feels warmer than it is.

          The problem is that you do need a house with sufficient thermal mass in the right place, namely an internal wall and chimney stack, so the Aga can heat it up - something missing in the vast majority of modern houses (ie. post-WWII). Interestingly, if you go off grid and seriously look at alternative energy/zero carbon houses, you discover that thermal mass is a handy thing to have.

    2. phuzz Silver badge
      Flame

      Re: True Sloane Range-r

      We used to have a cheap Aga-like oven in the house where I grew up, although this was a solid fuel (ie wood and coal) fired one. During the winter we had to keep it burning constantly, because it was the only source of heat in the whole house, even in the UK, there's a risk of freezing to death if you have no heating during a cold snap.

      There's also another use for an Aga that no one has mentioned. They typically have several doors, opening on compartments at different temperatures, one of which is around 30-40C (I guess it's supposed to be for warming one's plates or somesuch). Farmers use this to incubate lambs that have been abandoned by their mothers. Maybe you own a jumper that started it's life snuggled inside an Aga?

    3. Anonymous Coward
      Anonymous Coward

      Re: True Sloane Range-r

      I used to sell them (I got a better job and left with no hard feelings) and I really liked the way it cooked food. |Couldn't afford one myself but they are definitely a status symbol. My American friends all asked if I could get them a discount because they all wanted one. You don't have to leave the Total Control on all day you can program it with timer and have it come on when you get home or have it on half temp during the day. Never heard of the iTotal Control though must have come in well after I left as the Total Control was only being launched just as I was leaving.

  11. allthecoolshortnamesweretaken

    Just remember, folks - the "S" in "IoT" is for security.

    1. Lee D Silver badge

      And the H in this instance is for Hydrant?

  12. Dan 55 Silver badge

    Presumably there's no way to fix this other than a recall...

    ... as a software update by concatenating text messages in base64 is a rather expensive option.

    1. PNGuinn
      FAIL

      Re: Presumably there's no way to fix this other than a recall...

      Just pull the bloody SIM. Job done.

  13. T. F. M. Reader

    The cost of security

    Did I read it right? You really can make your IoT more secure by paying £6/mo less? Or will the bloody oven become inoperable without the mobile connection?

  14. Anonymous Coward
    Anonymous Coward

    Fools and their money

    modern Aga's are crap.

    Sorry,

    Very expensive crap.

    My Gran's old (1950's) AGA was great. On all day (solid fuel) and heated the whole house and this was before average houses had central heating. Heated the water as well.

    New ones are just shiny status symbols for people with more money than sense.

    When we were buying a new house last year, we looked at several with expensive AGA or look alikes. I asked one owner about the running costs. She looked coy before saying that she never used it. "It came with the house and we can't afford to have it ripped out."

    We didn't buy a house with a 'range cooker'.

    Very expensive crap.

    YMMV

    1. Mystic Megabyte
      Happy

      Re: Fools and their money

      Had an oil (wick burner) Aga here that was converted from coal. That has been replaced with an Everhot electric Aga look-alike. It plugs into a 13amp socket and is on 24/7. It uses some of the juice from the 6kW wind turbine that's making about £6000 a year. Getting the Everhot installed here to this remote island cost coincidently £6000 YMMV. It has no internet connectivity. Recommended.

      http://www.everhot.co.uk/

      1. John Arthur
        Happy

        Re: Fools and their money

        Agreed! I can't imagine why anyone would downvote you. My parents had an oil-fired Aga back in the seventies. It kept their 550 year old Welsh stone farmhouse warm as well as heating the water and being fabulous at cooking. I got an old solid fuel Aga as soon as I had a big enough house. It was converted to gas and kept me spoilt for 20 years. When we moved to another old house in Wales which has no gas I was tempted to get an old oil-fired one and recondition it. Then I found the Everhot website and, after visiting then and talking to their techie, I was convinced and we have had ours working for nearly 5 years now with no problems. Works off a 13A socket and costs perhaps £8 a week. Much better built than an Aga too. No problems with remote control either! Now, remind me, where's the IT angle again?

    2. JimboSmith Silver badge

      Re: Fools and their money

      Reminds me of this:

      http://www.alexcartoon.com/cartoons/6264_15012014.gif

  15. Anonymous Coward
    Anonymous Coward

    Good luck updating the oven if it's only connection is SMS.

    Does it have a usb port? Probably not.

    I'd say this ovens goose is cooked or not.

    Definitely not cooking on gas.

    1. kmac499

      Tut tut, USB port on an AGA?, surely a 15 pin RS232 would be more in keeping with the ambience.

      AGA's; great for reviving new born lambs in the bottom oven. plus if the lamb snuffs it you just leave it in a for a couple of days and hey presto beautiful suckling lamb roast..

      1. Down not across

        Tut tut, USB port on an AGA?, surely a 15 pin RS232 would be more in keeping with the ambience.

        15? Surely you mean 25-pin. Or did you mean the new fangled 9-pin?

        1. kain preacher

          http://www.aggsoft.com/rs232-pinout-cable/modem-db9-to-db15.htm

          1. Down not across

            @kain

            <pedant>The connector in that picture is DE-15, not DB-15</pedant>

            The only kit ever I recall using DE-15 for serial communications were early Macintoshes that used it for RS-422 (yes, it is possible for it to operate as RS-232) before they went with the 8-pin Mini DIN.

            Rather obscure one, so points to OP for picking one that tripped my memory up. :)

            1. kain preacher

              Re: @kain

              D'oh. I've seen DB-15 for weird auto stuff.

  16. swright75

    "Security and account registration also involves our M2M [machine-to-machine] provider. We take such issues seriously", well obviously not! For a start their site (http://www.agatc.co.uk) which requires a username and password doesn't even use basic SSL/TLS. Also the site appears to be running on an IIS 6 server (which was EOL'd back in 2015).

    1. Dan 55 Silver badge

      Business which knows nothing about what it's getting into except it wants to do a shiny app thing goes to 3rd party who proceeds to sell them snake oil.

  17. Okidoki

    Disclosure

    The original article on the penetration tester's website

    https://www.pentestpartners.com/blog/iot-aga-cast-iron-security-flaw/

    ends with a number of paragraphs about how it was hard to get a decent response from AGA to the issue.

    I think the challenge of presenting to an organisation such security flaws is a story here. How do you get the right attention without resorting to public disclosure? This story also shows the lack of risk assessment and foreseeable misuse undertaken at design time by the rush to IoT everything in sight

    1. Captain Badmouth
      Holmes

      Re: Disclosure

      "it was hard to get a decent response from AGA"

      That's due to the inertia of all that heavy metal.

  18. Anonymous Coward
    Anonymous Coward

    Doh!

    Need I say more?

    1. wolfetone Silver badge

      Re: Doh!

      Maybe, Dough?

  19. Anonymous Coward
    Facepalm

    Action Point AGA’s new iPhone App that controls oven remotely

    They could have at least designed the AGA to be registered to a particular phone and using a pseudo random token to control the oven. What are they teaching them in computer school lately.

    "AGA users who don’t have any of these devices can still take advantage of these unique benefi ts by simply sending a text message to their AGA. You just tell the cooker via the app or SMS text message which oven you want activated and it will respond by letting you know it has been switched on or off." link mirror

  20. Anonymous Coward
    Anonymous Coward

    A new name

    I propose a new name for these types of devices. Insecurely Designed Internet Of Things, or IDIOT for short, because that's what you have to be to buy one of these devices.

  21. kain preacher

    Holy fuck I don;t think those would be legal in the US. Always on and power regs. I thought the Uk had better product safety then the US?

    takes a look to see if they are in the US.

    https://www.ajmadison.com/cgi-bin/ajmadison/ADC3E.html

    Holy fucking shit $13k and the next model up is $18k

    1. Phil O'Sophical Silver badge
      Coat

      Holy fucking shit $13k and the next model up is $18k

      Ah, you get the cheap models...

      1. kain preacher

        I noticed.

  22. Anonymous Coward
    Alert

    We had a similar hacking problem at Word Merchant Acres

    Someone spoke to our head cook and gave her a 'hacked' dinner order. No two-factor authentication or verification protocol in place, so she just went ahead and instructed the kitchen staff to cook rabbit stew when in fact I wanted toad in the hole just like Mummy made. I was very, very cross indeed. Now cooksy has to confirm all menu-based instructions with the butler, which has fixed everything.

    So I completely understand what Aga owners are going through, even though I've never set foot below stairs, of course.

  23. Anonymous Coward
    Anonymous Coward

    Security

    The [software] developers are somewhat limited by the capabilities of the device. I'd imagine that these are fairly simplistic modems + microcontroller with not a lot of memory to work with. A full-on SHA implemented algorithm is likely beyond the hardware though some kind of hash should have probably been used - assuming the hardware side used it.

    It's all very well saying something like this should be locked down but easier said than done. At the end of the day, it's up to the device manufacturer to provide the functionality, and software to ensure it gets used.

    1. cybergibbons

      Re: Security

      There was no reason, in 2012, to put a device in that was so limiting.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security

        Yes, there is: cost. Even in 2017, the main benefit of IoT is the cheapness of the sensors and edge processing. These are still very limited devices in what they can do with KB of memory to work with, at best. Anything larger and your per device cost goes from £10's to £100's or more very quickly.

        1. ZSn

          Raspberry pi zero w £9.60

          1. Anonymous Coward
            Anonymous Coward

            The Raspberry Pi isn't designed or intended for commercal use though, you're right, it technically could have been used in this scenario. Generally speaking, most electronics of this nature is custom for the intended purpose which means higher costs, both to manufacture and develop for.

            E.g., you can use a R Pi to run a set of traffic lights but you wouldn't roll that out in live production.

          2. cybergibbons

            That's actually a lot of money for most IoT devices, where the entire cost of the device will typcially be less than £5. It's got a lot more power than you would ever need, as well.

            That said, there have been Pi-based commercial products, such as the early revisions of this:

            https://www.geniushub.co.uk

        2. cybergibbons

          Re: Security

          This really isn't the case though.

          The PIC18F - which currently only support SSLv3 and below with weak ciphers - is ~£1.75 in bulk. An ARM Cortex-M3 that costs the same, has more functonality and more flash can support TLSv1.2 with good ciphers.

          Time and time again I see people saying "but the hardware can't do it". It's perfectly possible to design your hardware to the same cost and have the functionality required.

          1. Anonymous Coward
            Anonymous Coward

            Re: Security

            I'll bow to those figures then :-) Was that available in 2012? Either way, perhaps this should be passed onto the hardware guys for review

            1. Mage Silver badge

              Re: Security

              A 50c in volume PIC or ARM cortex can be secure. There is no need for speed / high volume data etc which requires more performance.

              1. Richard 12 Silver badge

                Re: Security

                Indeed, it does not matter if it takes the device several seconds to verify the command.

                The PIC 16F series I was buying almost fifteen years ago would happily do it in the time budget available.

                Even with the internal oscillator.

    2. Mage Silver badge

      Re: Security

      A €1.50 micro-controller can be secure. The issue isn't production cost or development cost, but stupidity.

      No need for SHA either. A big unique private only key can be shared locally, by contact or IR or audio.

  24. This post has been deleted by its author

  25. This post has been deleted by its author

  26. Anonymous Coward
    Anonymous Coward

    Contact

    @El Reg, the article states that an attempt was made to contact Aga. Did anyone try to give a heads up to Action Point or Tekelek?

    1. cybergibbons

      Re: Contact

      An attempt? At least 10 attempts were made.

      It's very much Aga's responsibility to deal with service providers and hardware vendors involved with their products.

      1. Anonymous Coward
        Anonymous Coward

        Re: Contact

        I agree but given the lack of response from Aga, perhaps a back door approach of contacting the manufacturer/developer would have allows them to escalate to Aga internally? Would have been worth a shot rather than just hammering on Aga's door. 20-20 hind-sight I guess.

      2. Anonymous Coward
        Anonymous Coward

        Re: Contact

        At least 10 attempts were made.

        Try texting them. Or one of their ovens.

    2. Anonymous Coward
      Anonymous Coward

      Re: Contact

      "Did anyone try to give a heads up to Action Point or Tekelek?"

      Why would that be relevant?

      Does existing (but largely unenforced) 'product liability' legislation in the UK and elsewhere say where the finger should initially be pointed?

      "Under the CPA, the 'producer' of a product is liable for any defects. The producer is the manufacturer of the finished product or of a component of the finished product, or any person responsible for an industrial or other process to which any essential characteristic of the product is attributable. Liability may also be imposed on any party who holds itself out to be the producer through the use of a name or trade mark, and any person who imported the product into the European Community.

      As such, there may be more than one party liable under the CPA in respect of the same damage. Liability is joint and several, so the injured party may sue any or all of these people. Liability cannot be excluded or limited."

      from

      https://www.out-law.com/topics/commercial/supply-of-goods-and-services/product-liability-under-the-consumer-protection-act/

      Time a bit more of this stuff was actually *enforced*. If the normal enforcers (Trading Standards) are too busy to enforce it themselves (e.g. because they're busy trying to force Kodi off the market for some reason), who else is in a position to sort matters out?

      Who reckons the directors at Aga Rangemaster Ltd might have these installed?

      https://beta.companieshouse.gov.uk/company/00354715/officers

      Three named directors, two listed in Illinois where the parent company (The Middleby Corporation) are based, one in Spain, none in the UK. So the directors probably *don't* have the product in question installed in their own homes.

      1. jjsunderland

        Re: Contact

        Well about liability, if it ends out being with Aga or Action Point, BBC quotes Aga as saying:

        Aga Rangemaster operates its Aga TC phone app via a third party service provider," Aga said in a statement.

        "Security and account registration also involves our [machine to machine] provider.

        "We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised."

        So it sounds like Aga is passing the buck to Action Point (or Tekelek). It won't be easy to fix either, the vulnerability is in the wild and may have to be physically replaced (if the hardward is not powerful enough as suggested elsewhere in these comments.)

        And I see the link in the original el-Reg article to the Action Point Aga case study is now gone from the Action Point website...

        1. Anonymous Coward
          Anonymous Coward

          Re: Contact

          Not quite, Action Point weren't mentioned explicitly there. It's likely they're well on the back foot not having much notice or time to react to this. As an aside, how come the OP reported this publicly after 2 weeks - I thought 30 days was the norm? Or am I missing something?

  27. Jay 2

    Aga Saga

    I always though Agas were on all the time, but I've learnt from these very pages that's the old ones. It woud appear the newer 'leccy ones are a different beast.

    I'm not a great fan of all this IoT stuff, for the usual reasons. Can't say I'd ever really want to switch my cooker on when I wasn't there. I don't like having such appliances on when I can't keep an eye (or nose) on things.

  28. TWB

    OK, daft question

    How does a hacker* find out the phone number of SMS device in the cooker? (other than by asking the owner)

    *if I was a hacker I would find this a bit of a dull 'hack' to carry out - great, I can switch someone's Aga on or off.

    1. cybergibbons

      Re: OK, daft question

      Specifically, in this instance, the user interface of the Aga web application allows enumeration of registered numbers.

      With most M2M products, the numbers are allocated from groups. I have often seem numbers sequentially allocated in similar products.

    2. Mage Silver badge

      Re: OK, daft question

      Hack the Mobile supplier.

      SMS messaging computers can be / have been hacked, exposing source & destination numbers and queued messages.

      Or listen to the mast near person you don't like.

      Clear text SMS is madness to control ANYTHING. It's the principle of it, not how attractive a target it is.

    3. John Brown (no body) Silver badge

      Re: OK, daft question

      "*if I was a hacker I would find this a bit of a dull 'hack' to carry out - great, I can switch someone's Aga on or off."

      I wonder how many there are installed in the UK? It seems from the article that collecting a list of the phone numbers for all them isn't al that difficult. Are there enough to cause issues if every iTOTAL Aga in the UK all turned on at once during peak demand? Like a really cold winters day in December when pretty much the entire country also happens to be becalmed, nary a windmill stirring.

  29. The Real Tony Smith

    They just have to get the Cloud involved!

    'the app talks to the website's backend via an API, which sends the text messages to registered ovens'

    Ummm, why not just let the app on the phone send the text messages?

    1. Anonymous Coward
      Anonymous Coward

      Re: They just have to get the Cloud involved!

      Because that would cost the customer. While in principle, charging someone who can afford an 18K+ cooker would seem like a good idea, it's also a good idea not to p*** off a customer who has paid out a chunk of change. Aga swallow the cost of the text messages.

  30. Anonymous Coward
    Anonymous Coward

    hmmm

    Well, this article seems to have had an effect anyway. The site http://www.agatc.co.uk/ is currently down. I suspect updates/upgrades are in progress as we speak...

  31. Roland6 Silver badge

    Nothing new here really..

    "Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.

    All the hijackers need is the phone numbers of the appliances."

    The use of SMS or even simple dialup to control devices such as hall heating systems has been around for some decades: If you know the phone number you can turn the heating on/off in my local village hall.

    1. cybergibbons

      Re: Nothing new here really..

      I doubt your village hall has a website allowing it's number to be enumerated though?

  32. Jonathan 27

    How many people would pay a monthly fee to connect their oven?

    1. King Jack
      Holmes

      Re: How many people would pay a monthly fee to connect their oven

      The same fools that would pay British Gas £9 to fiddle with a thermostat.

  33. John Smith 19 Gold badge
    Boffin

    Aga. The cooker you'd design if you were a blind nobel prize winning physicist

    Which is who did design it.

    No hassle, fail safe cooking.

    Designed by a man for men to cook with. *

    Now I'd say Agaphiles come in 2 types. The hard core minimalists and the trendies. I can't see the hard core buying one of these (why would turn an Aga off?). The trendies OTOH bought theirs because everyone was doing it. So they'll buy this IoT b***ocks if they can be convinced it's "the next big thing."

    *As for energy efficiency at circa £5K a pop they are built like tanks and flooded with insulation. It may take a while to get up to operating temperature(s) but having done so I expect it to "cruise" with fairly low heat input.

  34. Mage Silver badge

    SMS

    SMS can be done securely.

    This though is daft.

    Also it's often big posh houses in cities that have them, only very old models in ancient rural kitchens.

  35. Anonymous Coward
    Anonymous Coward

    Out of the frying pan...

    ...and into the oven.

  36. Anonymous Coward
    Anonymous Coward

    Rangemaster - just don't

    We made the mistake of getting a Rangemaster some years ago.The control knobs fall off, one half of the grill has dies and I can't be bothered to fix it and I'm not getting them in, the build quality ain't great, and the hot plate isn't. Shoulb have gone Belling. We have two sets of friends with them and they're amazing so when we re-do the kitchen thats what I'm getting.

    1. John Arthur
      Thumb Up

      Re: Rangemaster - just don't

      Indeed, the Rangemaster group must have paid over the odds for Aga/Rayburn when they were fashionable only to see their investment collapse as the greens took over and pilloried Aga and Rayburn users. Mainly Aga users as they were perceived as being well off and thus a target for envy. All the modern stuff from Rangemaster seems to be afflicted. I recently bought a Leisure sink for our new kitchen. The one I bought nearly 30 years ago for our old house was well made and still going strong when I sold it. The new sink is poorly made and very badly finished. No more Rangemaster stuff for me!

  37. Anonymous Coward
    Anonymous Coward

    XMPP

    If there was a case for using locked down XMPP, this is it.

  38. jonnycando
    Devil

    I have a better way.....dig shallow hole....toss in wood, charcoal and something incendiary to facilitate lighting....set afire, when reduced to hot glowing coals, wrap food in tinfoil, place in coals and cook. When food done, eat!

  39. kain preacher

    For what these ovens cost there is no excuse. Lets Say it cost an extra $5 per oven. The type of person to but this oven would not care if you raised the the praise by $100. This is the same as a $35,000 car breaking because the manufacture wants to save a few pennies on bolts.

  40. Herby

    But will it...

    Cook Pizza?

    In reasonable time?

    My nice USA electric oven can whip out a pizza in about 20 minutes from a cold start. If you start the oven as you order the take & bake one, it can take less, as the travel time is about the same as the warm up.

    Get out the beer and have at it. Don't need this multi-door monstrosity that thinks it is hot all the time. How do you clean the beast?

    1. Dan 55 Silver badge

      Re: But will it...

      Presumably the housemaid takes care of everything.

      1. Captain Badmouth
        Coat

        Re: But will it...

        "Presumably the housemaid takes care of everything."

        Nonsense, she's in the workhouse having been impregnated and thrown out by the squire.

        Mine's the red one with the horn and hampton plaited whip in the pocket, thanks..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon