While researching security vulnerabilities in IOT devices focusing on home security, smart ovens came to mind. I thought what could be worse than a hacker getting into a person’s smart oven and burning their house down to the ground. It turns out that there is an exact hack of this type in a smart oven. Security involving IOT devices is an important aspect in the safety of a user’s home and I actually couldn’t believe that there is a hack that would let a malicious user turn on an oven. Say that a user had some dish towels or something on their oven range that is flammable and then they went off to work only to come home to their house burnt to a crisp because a hacker turned on their stove while they were gone. As I research security vulnerabilities in IOT devices it is becoming more and more clear that the companies that produce these smart home gadgets are lacking very much in security testing of their devices. In this document I will go over what oven has this type of security vulnerability, how this type of hack is executed, and what a user can do to prevent this type of security vulnerability from burning down their house.
The smart oven that has this security vulnerability is the AGA Range Cooker. The vulnerability was discovered by Pen Test Partners. These range cookers are very expensive so you would think that the company would have done extensive security testing on their appliances but that doesn’t seem to be the case. Pen Test Partners say that they tried to disclose the vulnerability to the AGA company through Twitter and AGA blocked them. Pen Test Partners finally got through to AGA via their technical support (LAIDLAW, 2017). It was important for Pen Test Partners to get in contact with AGA appliance company before they disclosed the vulnerability so that there could be something done about it before the information got into the wrong hands. Something like this allowing a malicious user the ability to burn your house down could really tarnish a company’s name. The AGA company seems very reluctant to fix this vulnerability. This oven draws a maximum of 30 amps which is enough to burn a house down. The owners of this type of oven should know that if they have the latest model with the remote control option then there is a possibility that they could be victim of this kind of attack (Leyden, 2017).
The hack in this smart oven is executed by an SMS that is unauthenticated and is sent from the ovens mobile application running on the user’s phone. The oven has a SIM card that costs the user around 5 dollars a month. The user could send a command to turn on all of the burners at once and since the SMS from the mobile application is not authenticated that means that a malicious user can perform an enumeration attack. Enumeration is a process to establish an active connection to a target machine to discover potential attacks (Chakravartula, 2018). Once the malicious user slowly but effectively uses enumeration to find the smart ovens phone number they can just simply send an SMS command to it. The command would look something like this “WebtextPass,35257,Baking Oven On” (Leyden, 2017). The enumeration attack could potentially take a while to execute because it is like a brute force attack to obtain the smart ovens phone number. AGA is being criticized by security testers because they say that making a WIFI interface would have been cheaper and safer than using a SIM card with a phone number for every device. It is amazing to me that AGA designed a device with a SIM card and a phone number but totally lacked when it came to security testing the device. I don’t even know if there is a patch that could be made for a device that is controlled this way. Maybe that is why the AGA company is reluctant to provide a fix for their vulnerable devices.
With this vulnerability disclosed to the public, a consumer should be very cautious when buying a smart appliance from AGA. The company probably lost a considerable amount of business because of this problem and it’s their own fault. I’m not sure if there is anything that an owner of one of these devices can do to prevent being a victim of this attack except for just throwing away their smart stove and getting a new one from a different manufacturer. I guess the owner of this type of smart oven can remove the SIM card and only operate their stove the old-fashioned way. They could probably cancel the remote access option on the smart stove since they are paying a monthly plan for it anyway. If AGA doesn’t come up with a patch to this vulnerability then the owner of the smart stove pretty much has no other option than to disable the remote-control option, otherwise risk their house being burnt down by a malicious arson with too much time on their hands.
To conclude, I would like to state that security testing should be a major part of a producer of IOT devices software engineering process. This is especially the case for companies that make IOT devices that operate inside a user’s home. This smart oven is just another of the many mistakes made by companies producing these smart devices. With the outrageous price tag that AGA is putting on their smart ovens I’m sure that consumers would appreciate some sort of security certification or something of the sort to go along with the smart device so that they can have some type of assurance that the product was produced correctly with a substantial amount of security vulnerability testing done.
Chakravartula, R. (2018, February 28). What is Enumeration? Retrieved from resources.infosecinstitute.com: https://resources.infosecinstitute.com/what-is-enumeration/#gref
LAIDLAW, J. (2017, April 20). HALF BAKED IOT STOVE COULD BE USED AS A REMOTE CONTROLLED ARSON DEVICE. Retrieved from hackaday.com: https://hackaday.com/2017/04/20/half-baked-iot-stove-could-be-used-as-a-remote-controlled-arson-device/
Leyden, J. (2017, Aprin 13). Half-baked security: Hackers can hijack your smart Aga oven ‘with a text message’. Retrieved from theregister.co.uk: https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/