Aga is an iconic European over-maker famous for a longstanding, ostentatious design that required the owner to burn fuel around the clock to maintain temperature across the cooker's titanic thermal mass, so much so that owners of British country homes integrated them into their household heating systems.
Aga updated its stoves by adding networking capabilities to them, which would allow Aga owners to activate the arduous pre-heating sequence by SMS or web (the web interface is just a SMS gateway that sends texts to your cooker — the device has no IP-based connectivity, only a SIM that sends and receives text messages).
Predictably, this is a horrible security mess. Enumerating the list of all Aga cookers would be trivial. The interfaces themselves only allow 5-digit passwords, also trivial to brute-force. Worst of all: there is no validation step. Once you know the phone number and password for a cooker, you can completely control it.
Predictably, Aga is one of the many companies that ignored increasingly urgent warnings about the defects in its products. At least they didn't threaten to sue over disclosure (yet).
Pen Test Partners, who did the Aga research, found that this terrible SMS-based networking comes from a vendor that also supplies monitoring for heavy remote infrastructure like oil storage tanks, and speculate that these security flaws may go a lot further than status-displaying appliances.
You probably know it takes hours for an Aga to heat up. Switch it off, annoy the hell out of people.I suppose it would make my Aga rather more efficient. By never being on…
One could also power up people’s Agas when they’re not looking, wasting electricity. They draw around 30 Amps in full heat-up mode, so if you could switch enough Agas on at once, one could cause power spikes. That’s a bit fanciful though.
The web interface also lends itself to spamming the hell out of people using SMS at Aga’s expense.
Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.
Come on Aga, sort it out. This isn’t acceptable. Get rid of the silly SMS based remote control module and put in a nice secure Wi-Fi enabled module with mobile app.
We believe that a business called Action Point (link opens PDF) led the integration project. This led us on to the GSM module which we think is manufactured by Tekelek. Tekelek have a history in remote monitoring of oil storage tanks, heating systems, process control and medical devices among many things. These appear to be monitored using SMS, so I wonder where else this bizarre unauthenticated text messaging process might lead…
Cast Iron Security [Ken Munro/Pen Test Partners]