Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Friday April 14 2017, @10:20PM   Printer-friendly
from the color-me-unimpressed dept.

Ken Munro of Pen Test Partners describes his investigation of the AGA Total Control oven, which can be controlled remotely with an app, via GSM. Munro found that:

  • the app uses HTTP rather than SSL
  • there was a potential for telephone numbers associated with the ovens to be enumerated
  • the app allowed passwords as short as five characters
  • "it would be trivial" to turn someone else's oven on and off
  • the control system could be misused to send SMS messages to mobile phones

According to the researcher,

Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.

additional coverage:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by anubi on Saturday April 15 2017, @10:37AM

    by anubi (2828) on Saturday April 15 2017, @10:37AM (#494362) Journal

    That is my experience cost-wise as well.

    The processor often represents less than ONE percent of the system!

    You oughta see the effort I am putting into using Arduino as the Powertrain Control Module in my van! The core ATMEL system represents a miniscule fraction of the investment of resources. Very miniscule. Even the power supply is several orders of magnitude more time consuming to design ( current-mode SMPS flyback design, works from 5V to 150V input, so inductive kickbacks or alternator load dump surges won't damage it. Vehicle power can be nasty! ). I used to work on aerospace stuff, so doing this is exactly what I used to do for the military.

    And building all the interfaces... all isolated I2C. Drives all the solenoids controlling the transmission as well as stuff like fuel pumps and injection pump solenoids.

    Monitor all currents to make sure that all loads are accepting the proper current. Very critical for the transmission. An erroneous solenoid command sent to a transmission in the wrong state has severe consequences. So that means special discrete supervisory logic so even the computer can't mistakenly issue fatal commands.

    Why Arduino anyway? I do not need to be fast. I want the whole thing computationally simple. And I need to trust it.

    And because this old van is made before the latest anti-theft technologies, I want to incorporate some of my own into it so it will "phone home" in the event it thinks it may be stolen, as well as throw numerous monkey wrenches into any theft attempts. Things like deliberately shutting down the fuel pump so the injector pump will suck air up the fuel return line, which will now require someone to physically purge the air back out of the injectors before they will work again.

    I also want to program it to do odd things for me like allow the engine to continue to run, even though I have removed the key. But the instant anyone takes it out of "park", instant shutdown. This is for use for short stops where I don't really want to do lot of restarts but need to leave for a couple of minutes. And have microwave sensors ( repurposed supermarket door sensor ) that know when anyone is around the van and wake up the electronics and text me on my phone. Kinda selfish here, but I am also coding it so I log on in morse code to start the van. Just to make the thing useless to anyone else but me. Or else people will put me on the spot wanting to borrow it all the time. I want to make sure if it goes, I go with it. It will also do things like make sure I don't walk off with the lights on, engage the starter when the engine is running, make sure no current is flowing in the main battery circuits before it shuts completely down, and tell me if anything goes amiss during operation.

    I don't want "check engine" light. I want the offending sensor identified and its reading displayed. Even to the point of having a built-in oscilloscope to aid in letting me troubleshoot - as God knows where I may be when something goes amiss. Its amazing how much information I can glean from the little variable reluctors which sense engine speed and drive shaft speed, when you apply DSP techniques for analyzing instantaneous rotational velocities over the engine cycle, or knowing the exact gear ratio the transmission and counting the tooth passes across the reluctors. Any slippage is quite apparent, and revealed before a several thousand dollar transmission is trashed.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   2