SoylentNews is people
SoylentNews
Ken Munro of Pen Test Partners describes his investigation of the AGA Total Control oven, which can be controlled remotely with an app, via GSM. Munro found that:
- the app uses HTTP rather than SSL
- there was a potential for telephone numbers associated with the ovens to be enumerated
- the app allowed passwords as short as five characters
- "it would be trivial" to turn someone else's oven on and off
- the control system could be misused to send SMS messages to mobile phones
According to the researcher,
Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.
additional coverage:
This discussion has been archived.
No new comments can be posted.
Vulnerabilities in AGA Total Control Electric Oven
|
Log In/Create an Account
| Top
| 25 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
For recreational use only.
(Score: 0) by Anonymous Coward on Friday April 14 2017, @10:36PM (1 child)
The post seems, somewhat, like English, but I can't make out a single notion out of it.
(Score: 5, Informative) by butthurt on Saturday April 15 2017, @12:31AM
Explainer:
app: software that runs on a tablet computer or mobile phone
GSM: a widely used protocol for cellular networks
HTTP: the original protocol for the WWW, which doesn't have encryption, hence is easily intercepted or tampered with
SSL: protocol for the WWW which does have encryption
"there was a potential for telephone numbers associated with the ovens to be enumerated": an attacker could find out what telephone numbers are being used with the ovens
"the control system could be misused to send SMS messages to mobile phones": someone could use AGA's site to send harassing or spammy text messages to people's mobiles
You may also check the stories on BBC News and The Inquirer.