Ken Munro of Pen Test Partners describes his investigation of the AGA Total Control oven, which can be controlled remotely with an app, via GSM. Munro found that:

the app uses HTTP rather than SSL

there was a potential for telephone numbers associated with the ovens to be enumerated

the app allowed passwords as short as five characters

"it would be trivial" to turn someone else's oven on and off

the control system could be misused to send SMS messages to mobile phones

According to the researcher,

Disclosure was a train wreck. We tried Twitter, every email address we could find and then rang them up. No response to any of the messages we left.

additional coverage: