Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.

All the hijackers need is the phone numbers of the appliances.

The vulnerable iTotal Control models of the upmarket cookers contain a SIM card and radio tech that connects to mobile phone networks. This allows the Brit-built roasters to receive texted commands: these messages can be sent directly to appliances from phones, or via an app or Aga's website, from anywhere in the world.

This means you can order your fancy baking oven to heat up before you leave from work, for instance. According to UK IT security consultants Pen Test Partners (PTP), this feature can be hijacked by villains to meddle with the slow cookers without the owners' permission.

The iTotal Control ovens pick up messages using a Tekelek-branded comms module and a GSM SIM card from UK cellular network EE – which costs £6 ($7.50) a month to keep active. Controlling an Aga by text is a rather odd approach because many of the hefty ovens are out in the sticks without decent cellular reception. The design was implemented by an Irish outfit called Action Point.

Rather than using an SMS-based remote-control system, Aga should have used a secure Wi-Fi-enabled module, according to PTP, which criticized the appliance manufacturer's "bizarre unauthenticated text messaging process."

"Aga's choice of mobile comms costs customers more than £70 extra per year and doesn't help customers in poor mobile reception areas," PTP's Ken Munro noted in an advisory shared with The Register earlier this week. "A Wi-Fi module done right, with a conventional mobile app and API, is unlikely to have cost them much more to develop."

To control someone's Aga, you need the phone number associated with the roaster's SIM card, we're told. The control system makes no attempt to authenticate whoever sent the command texts. This shortcoming clears the way for all sorts of mischief: these electric-powered machines can draw 30 amps tops, so you could run up a small chunk of change on a victim's power bill as well as wasting energy while they are away – or ruining dinner by switching the thing off.

Aga's "register my cooker" webpage generates a different error message depending on whether or not if you enter a number that's previously recognized as one assigned to an iTotal Control cooker. You can exploit this and a similar shortcoming that enumerates owners by their email addresses to, over time by brute force, build up a list of known Aga mobile phone numbers.

With these digits, you can start taking over strangers' ovens from the other side of the world. It's not, admittedly, a gigantic security risk – brute-forcing the list will be time consuming, for one thing – but the situation could have been avoided entirely.

"All you have to do is simply send a text message to the Aga. No authentication. Turn other people's Agas off," Munro told us. "We didn't, but it would be trivial for less-ethical culinary threat actors to do so."

The format of the comma-separated command messages is simple, it seems: a string followed by a sequence number and then the order, e.g.

WebtextPass,35257,Baking Oven On

The official mobile app and Aga's website also use unencrypted HTTP, with no option for HTTPS, which leaves customer information open to eavesdropping on the 'net. For what it's worth, the app talks to the website's backend via an API, which sends the text messages to registered ovens.

Headaches

PTP had all sorts of problems in getting in touch with Aga to report the design flaws, prior to publishing its findings on Thursday. The oven maker's representatives initially told the consultants that "we've had no reports of customers having their Agas hacked" – a response that rather missed the point.

Following proddings from El Reg, Aga's PR folks told us the oven maker is confident its IoT partners have the issue in hand:

Aga Rangemaster operates its Aga TC [Total Control] phone app via a third-party service provider. Security and account registration also involves our M2M [machine-to-machine] provider. We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.

PTP told Aga it ought to take down the www.Agatc.co.uk website and address the weaknesses it had identified. El Reg asked Aga if it will take this advice, and we've yet to get a substantive response.

Aga owners should note: this issue affects you only if you have the latest Total Control cooker and bought the remote control option.

The issues discovered by PTP in Aga's ovens add to a growing list of kitchen-related IoT security failings – from insecure kettles to pwnable industrial dishwashers used in hospitals and restaurants. Now you can add smart home ovens to the pile. ®