SoylentNews is people
SoylentNews
Ken Munro of Pen Test Partners describes his investigation of the AGA Total Control oven, which can be controlled remotely with an app, via GSM. Munro found that:
- the app uses HTTP rather than SSL
- there was a potential for telephone numbers associated with the ovens to be enumerated
- the app allowed passwords as short as five characters
- "it would be trivial" to turn someone else's oven on and off
- the control system could be misused to send SMS messages to mobile phones
According to the researcher,
Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.
additional coverage:
This discussion has been archived.
No new comments can be posted.
Vulnerabilities in AGA Total Control Electric Oven
|
Log In/Create an Account
| Top
| 25 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
It's not reality that's important, but how you perceive things.
(Score: 2) by kaszz on Friday April 14 2017, @10:58PM (10 children)
After the rougue dishwasher [soylentnews.org] the expectations are kind of low. Suggestion to tech people.. Buy simplest model, go DIY controller it's plain safer and cheaper. Besides the phone network devices usually lack firewall capability as in this case. There's a hint in the report: "digging deeper, it turns out that a physical module is added to the Aga. It contains a GSM SIM," so it should be possible to make ones own module and get rid of the issues and getting a better solution with better usability and more security at the same time.
AGAs feedback with Twitter blocking and "not available" on email nor phone is just deplorable. When a oven gets remotely turned on using 30 ampere it can seriously burn down whatever is around.
This vulnerability also looks like the smartphone remote update [soylentnews.org] that wouldn't encrypt or authenticate the touch screen keyboard updates. Again, big corporations seems to fail bad at security. Especially when it concerns IoT.
(Score: 4, Insightful) by Ethanol-fueled on Saturday April 15 2017, @01:10AM (2 children)
Jesus Christ. Are motherfuckers so lazy that they can no longer walk to the goddamn kitchen and manually operate their own appliances?!
If we had a wholesome society where working men earned proper wages and women could be housewives again, we wouldn't be dealing with this kind of idiocy.
(Score: 2) by kaszz on Saturday April 15 2017, @01:28AM
It's more a expression of people wanting to do other things than maneuvering appliances. And of course a insane culture of work is everything, living is best reduced to some sick years before dying..
(Score: 3, Interesting) by VLM on Saturday April 15 2017, @12:50PM
Research Jewish attitudes toward sabbath and ovens. No not those kind of ovens, the boring kitchen kind.
To make a really long story somewhat simplified and short (so yeah I know this is inexact, but close enough):
1) For any possible interpretation of ... anything, there is at least one Jew on the ground holding that opinion. Politics, cooking, religion... Its not even anti-semitic to observe that you ask three Jews what the Talmud says about X and you get at least four conflicting answers. Its just how they are.
2) There exist at least some Jews that see the sabbath rules as not permitting opening and closing of electrical contacts due to something involving fire and a confusion about what fire is vs a spark and a total lack of understanding about electronics.
3) A subset of the above think its hilarious to "cheat" their god by programming timers on their ovens. They can control "fire" and oven timers all they want before the sabbath as long as they don't control anything during sabbath itself. So... oy vey what is this my oven turned on for no apparent reason during sabbath, now don't be a pissed off volcano god, but I'm gonna cook my dinner now while carefully not touching any oven controls. Hence the "Sabbath Timer" feature available on even ancient ovens. No this is not a parody look in your kitchen oven manual there's probably some manner of "sabbath" feature.
4) Its a very small extension of the "sabbath timer" feature to include an iphone app that controls your oven. As per #1 above and #2 above there exist at least some Jews that will believe operating the oven via the iphone app "cheats god" to get around the sabbath fire rules. Technically you can manipulate an app with a touch screen resulting in no sparks and you can control heating elements since the 90s or so with solid state relays so you could build the phone into the oven as a touch screen and to a non-Jew like me that sounds like a reasonable solution but see #1 above so ...
Aside from the Jews I bet most of the users will be OCD people who go to work and ponder if they shut off the teapot or not.
I would suspect that much like "smart TVs" most of the purchasers will never use the feature, never even set it up. The blinking VCR 12:00 of the 80s/90s is the "smart appliance" today. Its not that they buyer wants it or knows how to use it or ever uses it, its that you won't be able to buy a $2000 status symbol oven without it that results in deployment of shitty "smart" appliances.
(Score: 1) by anubi on Saturday April 15 2017, @06:48AM (6 children)
You can put an Arduino in just about anything.
You can know exactly what you programmed it to do.
I consider the Arduino and its ilk about the last trustworthy systems on this planet.
If the task is too heavy, consider pairing it with one or more Propeller chips.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by lentilla on Saturday April 15 2017, @09:15AM (2 children)
It's not the Arduino that is the issue - it's switching and wiring the mains safely that has always been my problem. Three dollars of Arduino and then thirty, forty, plus dollars of relay, opto-isolator, plug, socket, fuse and mounting hardware.
(Score: 2, Interesting) by anubi on Saturday April 15 2017, @10:37AM
That is my experience cost-wise as well.
The processor often represents less than ONE percent of the system!
You oughta see the effort I am putting into using Arduino as the Powertrain Control Module in my van! The core ATMEL system represents a miniscule fraction of the investment of resources. Very miniscule. Even the power supply is several orders of magnitude more time consuming to design ( current-mode SMPS flyback design, works from 5V to 150V input, so inductive kickbacks or alternator load dump surges won't damage it. Vehicle power can be nasty! ). I used to work on aerospace stuff, so doing this is exactly what I used to do for the military.
And building all the interfaces... all isolated I2C. Drives all the solenoids controlling the transmission as well as stuff like fuel pumps and injection pump solenoids.
Monitor all currents to make sure that all loads are accepting the proper current. Very critical for the transmission. An erroneous solenoid command sent to a transmission in the wrong state has severe consequences. So that means special discrete supervisory logic so even the computer can't mistakenly issue fatal commands.
Why Arduino anyway? I do not need to be fast. I want the whole thing computationally simple. And I need to trust it.
And because this old van is made before the latest anti-theft technologies, I want to incorporate some of my own into it so it will "phone home" in the event it thinks it may be stolen, as well as throw numerous monkey wrenches into any theft attempts. Things like deliberately shutting down the fuel pump so the injector pump will suck air up the fuel return line, which will now require someone to physically purge the air back out of the injectors before they will work again.
I also want to program it to do odd things for me like allow the engine to continue to run, even though I have removed the key. But the instant anyone takes it out of "park", instant shutdown. This is for use for short stops where I don't really want to do lot of restarts but need to leave for a couple of minutes. And have microwave sensors ( repurposed supermarket door sensor ) that know when anyone is around the van and wake up the electronics and text me on my phone. Kinda selfish here, but I am also coding it so I log on in morse code to start the van. Just to make the thing useless to anyone else but me. Or else people will put me on the spot wanting to borrow it all the time. I want to make sure if it goes, I go with it. It will also do things like make sure I don't walk off with the lights on, engage the starter when the engine is running, make sure no current is flowing in the main battery circuits before it shuts completely down, and tell me if anything goes amiss during operation.
I don't want "check engine" light. I want the offending sensor identified and its reading displayed. Even to the point of having a built-in oscilloscope to aid in letting me troubleshoot - as God knows where I may be when something goes amiss. Its amazing how much information I can glean from the little variable reluctors which sense engine speed and drive shaft speed, when you apply DSP techniques for analyzing instantaneous rotational velocities over the engine cycle, or knowing the exact gear ratio the transmission and counting the tooth passes across the reluctors. Any slippage is quite apparent, and revealed before a several thousand dollar transmission is trashed.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Saturday April 15 2017, @12:54PM
Consider modifying the existing hardware, including replacing the microcontroller.
(Score: 2) by kaszz on Saturday April 15 2017, @12:08PM (2 children)
ARM32 is untrustworthy?
(Score: 2, Interesting) by anubi on Saturday April 15 2017, @12:20PM (1 child)
I have not used any ARM32 yet, so I have to plead ignorance here.
My initial bias is if it requires any proprietary binaries - along with the words "hold harmless", my red flags go up.
The only "larger system" OS I much trust is Micrium's uCOS series. But that's largely my impression, not experience.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Saturday April 15 2017, @01:06PM
Who says "hold harmless" ?
This all reminds me of Raspberry.. blob.