Can you control the oven temperature?
Or is this one of the leet ovens that doesn't have temp controls?
Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned. All the hijackers need is the phone numbers of the appliances. The vulnerable iTotal Control models of the upmarket cookers contain a SIM card and radio tech that connects to mobile phone networks. This …
Agas are the worst oven known to man. Incredibly inefficient unless you also need to heat the room all day.
The temperature is pre-set during installation and cannot be changed.
On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning.
Stayed at a place that has a gas one. It went out one day, we didn't realise until it was too late for it to warm up for dinner.
So we went to the pub.
We have a circa 1950 Rayburn version of the AGA. It was solid fuel but converted to oil. It heats a > 400 year 3 bed house and provides hot water for less than £500 a year. Not on all day. We once left a roast lamb dinner it it when we went to a beer festival. We were 3 hours late home and the lamb was delicious. If they are used properly can be a great asset.
We have a similar age aga that runs on oil and it sits there for maybe half the year heating the house and water. Its never turned off or down over the 'winter' period. I dare say you can get something a bit more efficient but no-where near as nice. And the food that comes out of it is extraordinary and modern 'smart' agas dont come close. It has two ovens and you can put a chicken carcass for stock in the 'cool' oven and take it out three days later and the stock is unbelievable. I have looked into the idea of seeing if it can be converted to rape seed but Aga are so up their own arses these days I'm not going to make their fortune for them.
I'm confused. Are you saying that in Britain it's common to heat a house with a kitchen stove? In the US we haven't done that since the 19th century, we have proper furnaces that heat the house and kitchen stoves or ovens that are designed to cook dinner, they don't heat the kitchen let alone the house.
"I'm confused. Are you saying that in Britain it's common to heat a house with a kitchen stove?"
No, we don't. In some circumstances, they might still do that but they are either years old (there's really nothing in them the break) or are bought by people with a big kitchen and plenty of cash mainly for a bit of that Olde Worlde look. A bit like those of you in the colonies who still like the old fashioned 1950's look refrigerator or other kitchen appliances.
But wait! You have a whole furnace to heat your house? What is it? A 10 bedroom mansion? Do you employ your own stoker to shovel the coal in?
Most people in the UK have a fairly small gas powered combi boiler that does heating and "instant" hot water that's about the size of a medium suit case.
Radiant heating is the exception and not the norm in the Americas and electric is more common than water for those that do.
Central forced air is the default here and by mansions you mean three to four bedrooms in a household with weather below freezing for at least 4 months of the year, then yes.
>On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning.
Proper Aga's only use solid fuel (okay oil is an acceptable alternative if you've not got a decent supply of coal or tarred wood ie. ancient railway sleepers) - never really saw the point of the electric or gas Aga.
Agas are the worst oven known to man. Incredibly inefficient unless you also need to heat the room all day. The temperature is pre-set during installation and cannot be changed. On/Off is all you get on an electric, and the gas ones don't even have an indicator to say that they are burning. Stayed at a place that has a gas one. It went out one day, we didn't realise until it was too late for it to warm up for dinner.
So we went to the pub.
Actually the Total Control is the Electric model that you can switch individual ovens on and it doesn't have to be on all day you had a timer you could set. I looked at one for my house before I moved in and decided against it because despite my estate agent saying they raised the value of the house - the space I had to put it in wasn't really large enough. If you live in a large house they're actually quite good because they really do heat the room and reduce the need to have a radiator in the kitchen. I went to a cooking demonstration for AGA and saw how to cook on one despite not actually buying one for myself in the end. You can dry clothes on them, do a wicked toasted sandwich on top (with some silicone paper) and the best cake I've ever cooked was done in an AGA. You can alter the temperature (on an Oil and Gas ones as my mum and sister have them*) but you're supposed to use different ovens and positions within the oven to cook. *They were in the houses when they moved in they didn't have them put in. Also it will carbonise food left in there and I've seen some beautiful examples of bread that looked exactly the same as when it went in to the oven just now carbon black and shiny.
Still a bit of a shocker to find that someone can turn on your oven whilst you're out if you went for the connected model. I can think of ways to mitigate this even if you did go with the SMS option and not a more secure wifi option. Not even sure this counts as coming under the IOT banner because it's using SMS.
AGA are in a mess. I interviewed there last year and even the short time I was in the office it was clear they were struggling for lack of direction, being beholden to a cabal of long-time employees so set in their ways that any innovation is fought against.
They also made their receptionist redundant and installed a phone in the 'air lock' entrance to replace her.
I don't blame them for trying new things. They are going to have to do a lot better though.
My thought entirely @Number6 - if one is so luddite-minded as to have a 19th century oven, why would one want to embugger it with a late-20th century innovation such as SMS-based remote control?
The only explanation is we have hit upon a new trope following steam-punk, diesel-punk etc. I'm getting my coat - the one without the lace-up corset.
How may days' lead time does one need to preheat these things that a remote-start is useful? My not-expensive electric oven heats up in ten minutes. Does anyone really come home and race into the kitchen to immediately throw a fully-prepared dish in the oven? Who really lives by such tight time margins?
Another product in desperate need of a purpose. I shorely wish people would design things we actually need instead of questionable excuses to bolt on some electronics and internet connection...
I can set the washing machine going before leaving work, turn on the cooker, the fridge re-filled itself from Amazon direct and the Rhumba cleaned the floor..... why do i need to go home? i can stay at the coal face for a few more hours earning that state pension that wont be there when i retire.
I know people do have reasons for iOt stuff but who is so busy that they need to turn the oven on before they get home. I was told as a child NOT to leave the oven/cooker on when no-one was home.
And why hasn't this caught the attention of the home insurance industry? Won't they want to know that ovens are running hot in empty houses?
Also consider someone putting a roast in there and leaving it all day before it cooks. Aging beef is fine, but not at room temperature!
Call me mad (or luddite), but I actually prefer being home when something is in the oven, just to keep an eye on things (and occasionally baste things for that crispy skin on chicken, and leg of boar glazed with home-made apple treacle is truly great). I could use the timer on my SMEG oven quite nicely, although that does not cope well with sudden changes to plans. Therefore, I much prefer turning it on when I get home. It takes just shy of 10 minutes to get to its highest working temperature (it also has two ovens in which I can control temperature independently), so I really, really do not see the need of remote control. The ten minutes warm-up time are readily filled with laying table, chopping vegetables, relaxing after work with a beer, or even talking to members of the family.
I have nothing fundamentally against remote control, but to implement it in this terrible way is mindboggling.
First thought was why and how do you i-control something that takes a day to get to working temperature? Then I read it's electric, and thought ouch that's going to cost a bit to leave running 24/7 but still Agas don't really have a 'stat as such.*
Then I see it draws 30A, so basically a very f@#cking heavy, and enormously expensive cast iron shell around an electric oven for the Chelsea Tractor driving mummies "in town" so they can look the part. Hack away, well text away, my friends, text away!
*To our friends across the water Agas are traditionally solid fuel or oil, they are cast iron, sectional, built in situ and filled with insulation. With a built-in hot water boiler to use some of the excess heat. The idea being they run at a working temperature 24/7
"Then I see it draws 30A, so basically a very f@#cking heavy,"
Yup. Though it doesn't draw 30 A continuously. Friends of mine have one in their large old house in Ceredigion, sort of makes sense as it keeps the kitchen (where you spend most of your time) warm in winter. When they bought a house in The Hague they wanted to get an Aga there too - until I did a few calculations on the back of an envelope and pointed out that the standing losses of the Aga would be seven times the power consumption for my whole house. Aga: great when and where it was invented (cold Sweden) but no longer relevant for most of us. Though reasonably nice to cook with once you get used to it.
I think one of the thing people dont seem to realise about the permanently on aga is it is nowhere near as inefficient as people make out. If its properly looked after (the internal insulation needs checking every few years or so) it will just sit quietly in the corner keeping your house warm. Not hot - with an aga you can get by with it several degrees cooler as one its up and running and temperatures are stable you dont have the cold wall heat sinks that you get with a normal on-off heating system so it actually feels warmer than it is. We have ours on nearly half the year over winter and it provides us with heating, hot water and cooking over the coldest part of the year for pretty much the same oil use as our high-efficiency boiler provides hot water and add-lib heating the rest of the year.
>Not hot - with an aga you can get by with it several degrees cooler as one its up and running and temperatures are stable you dont have the cold wall heat sinks that you get with a normal on-off heating system so it actually feels warmer than it is.
The problem is that you do need a house with sufficient thermal mass in the right place, namely an internal wall and chimney stack, so the Aga can heat it up - something missing in the vast majority of modern houses (ie. post-WWII). Interestingly, if you go off grid and seriously look at alternative energy/zero carbon houses, you discover that thermal mass is a handy thing to have.
We used to have a cheap Aga-like oven in the house where I grew up, although this was a solid fuel (ie wood and coal) fired one. During the winter we had to keep it burning constantly, because it was the only source of heat in the whole house, even in the UK, there's a risk of freezing to death if you have no heating during a cold snap.
There's also another use for an Aga that no one has mentioned. They typically have several doors, opening on compartments at different temperatures, one of which is around 30-40C (I guess it's supposed to be for warming one's plates or somesuch). Farmers use this to incubate lambs that have been abandoned by their mothers. Maybe you own a jumper that started it's life snuggled inside an Aga?
I used to sell them (I got a better job and left with no hard feelings) and I really liked the way it cooked food. |Couldn't afford one myself but they are definitely a status symbol. My American friends all asked if I could get them a discount because they all wanted one. You don't have to leave the Total Control on all day you can program it with timer and have it come on when you get home or have it on half temp during the day. Never heard of the iTotal Control though must have come in well after I left as the Total Control was only being launched just as I was leaving.
modern Aga's are crap.
Very expensive crap.
My Gran's old (1950's) AGA was great. On all day (solid fuel) and heated the whole house and this was before average houses had central heating. Heated the water as well.
New ones are just shiny status symbols for people with more money than sense.
When we were buying a new house last year, we looked at several with expensive AGA or look alikes. I asked one owner about the running costs. She looked coy before saying that she never used it. "It came with the house and we can't afford to have it ripped out."
We didn't buy a house with a 'range cooker'.
Very expensive crap.
Had an oil (wick burner) Aga here that was converted from coal. That has been replaced with an Everhot electric Aga look-alike. It plugs into a 13amp socket and is on 24/7. It uses some of the juice from the 6kW wind turbine that's making about £6000 a year. Getting the Everhot installed here to this remote island cost coincidently £6000 YMMV. It has no internet connectivity. Recommended.
Agreed! I can't imagine why anyone would downvote you. My parents had an oil-fired Aga back in the seventies. It kept their 550 year old Welsh stone farmhouse warm as well as heating the water and being fabulous at cooking. I got an old solid fuel Aga as soon as I had a big enough house. It was converted to gas and kept me spoilt for 20 years. When we moved to another old house in Wales which has no gas I was tempted to get an old oil-fired one and recondition it. Then I found the Everhot website and, after visiting then and talking to their techie, I was convinced and we have had ours working for nearly 5 years now with no problems. Works off a 13A socket and costs perhaps £8 a week. Much better built than an Aga too. No problems with remote control either! Now, remind me, where's the IT angle again?
"Security and account registration also involves our M2M [machine-to-machine] provider. We take such issues seriously", well obviously not! For a start their site (http://www.agatc.co.uk) which requires a username and password doesn't even use basic SSL/TLS. Also the site appears to be running on an IIS 6 server (which was EOL'd back in 2015).
<pedant>The connector in that picture is DE-15, not DB-15</pedant>
The only kit ever I recall using DE-15 for serial communications were early Macintoshes that used it for RS-422 (yes, it is possible for it to operate as RS-232) before they went with the 8-pin Mini DIN.
Rather obscure one, so points to OP for picking one that tripped my memory up. :)
The original article on the penetration tester's website
ends with a number of paragraphs about how it was hard to get a decent response from AGA to the issue.
I think the challenge of presenting to an organisation such security flaws is a story here. How do you get the right attention without resorting to public disclosure? This story also shows the lack of risk assessment and foreseeable misuse undertaken at design time by the rush to IoT everything in sight
They could have at least designed the AGA to be registered to a particular phone and using a pseudo random token to control the oven. What are they teaching them in computer school lately.
"AGA users who don’t have any of these devices can still take advantage of these unique benefi ts by simply sending a text message to their AGA. You just tell the cooker via the app or SMS text message which oven you want activated and it will respond by letting you know it has been switched on or off." link mirror
Someone spoke to our head cook and gave her a 'hacked' dinner order. No two-factor authentication or verification protocol in place, so she just went ahead and instructed the kitchen staff to cook rabbit stew when in fact I wanted toad in the hole just like Mummy made. I was very, very cross indeed. Now cooksy has to confirm all menu-based instructions with the butler, which has fixed everything.
So I completely understand what Aga owners are going through, even though I've never set foot below stairs, of course.
The [software] developers are somewhat limited by the capabilities of the device. I'd imagine that these are fairly simplistic modems + microcontroller with not a lot of memory to work with. A full-on SHA implemented algorithm is likely beyond the hardware though some kind of hash should have probably been used - assuming the hardware side used it.
It's all very well saying something like this should be locked down but easier said than done. At the end of the day, it's up to the device manufacturer to provide the functionality, and software to ensure it gets used.
Yes, there is: cost. Even in 2017, the main benefit of IoT is the cheapness of the sensors and edge processing. These are still very limited devices in what they can do with KB of memory to work with, at best. Anything larger and your per device cost goes from £10's to £100's or more very quickly.
The Raspberry Pi isn't designed or intended for commercal use though, you're right, it technically could have been used in this scenario. Generally speaking, most electronics of this nature is custom for the intended purpose which means higher costs, both to manufacture and develop for.
E.g., you can use a R Pi to run a set of traffic lights but you wouldn't roll that out in live production.
That's actually a lot of money for most IoT devices, where the entire cost of the device will typcially be less than £5. It's got a lot more power than you would ever need, as well.
That said, there have been Pi-based commercial products, such as the early revisions of this:
This really isn't the case though.
The PIC18F - which currently only support SSLv3 and below with weak ciphers - is ~£1.75 in bulk. An ARM Cortex-M3 that costs the same, has more functonality and more flash can support TLSv1.2 with good ciphers.
Time and time again I see people saying "but the hardware can't do it". It's perfectly possible to design your hardware to the same cost and have the functionality required.
"Did anyone try to give a heads up to Action Point or Tekelek?"
Why would that be relevant?
Does existing (but largely unenforced) 'product liability' legislation in the UK and elsewhere say where the finger should initially be pointed?
"Under the CPA, the 'producer' of a product is liable for any defects. The producer is the manufacturer of the finished product or of a component of the finished product, or any person responsible for an industrial or other process to which any essential characteristic of the product is attributable. Liability may also be imposed on any party who holds itself out to be the producer through the use of a name or trade mark, and any person who imported the product into the European Community.
As such, there may be more than one party liable under the CPA in respect of the same damage. Liability is joint and several, so the injured party may sue any or all of these people. Liability cannot be excluded or limited."
Time a bit more of this stuff was actually *enforced*. If the normal enforcers (Trading Standards) are too busy to enforce it themselves (e.g. because they're busy trying to force Kodi off the market for some reason), who else is in a position to sort matters out?
Who reckons the directors at Aga Rangemaster Ltd might have these installed?
Three named directors, two listed in Illinois where the parent company (The Middleby Corporation) are based, one in Spain, none in the UK. So the directors probably *don't* have the product in question installed in their own homes.
Well about liability, if it ends out being with Aga or Action Point, BBC quotes Aga as saying:
Aga Rangemaster operates its Aga TC phone app via a third party service provider," Aga said in a statement.
"Security and account registration also involves our [machine to machine] provider.
"We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised."
So it sounds like Aga is passing the buck to Action Point (or Tekelek). It won't be easy to fix either, the vulnerability is in the wild and may have to be physically replaced (if the hardward is not powerful enough as suggested elsewhere in these comments.)
And I see the link in the original el-Reg article to the Action Point Aga case study is now gone from the Action Point website...
I always though Agas were on all the time, but I've learnt from these very pages that's the old ones. It woud appear the newer 'leccy ones are a different beast.
I'm not a great fan of all this IoT stuff, for the usual reasons. Can't say I'd ever really want to switch my cooker on when I wasn't there. I don't like having such appliances on when I can't keep an eye (or nose) on things.
Hack the Mobile supplier.
SMS messaging computers can be / have been hacked, exposing source & destination numbers and queued messages.
Or listen to the mast near person you don't like.
Clear text SMS is madness to control ANYTHING. It's the principle of it, not how attractive a target it is.
"*if I was a hacker I would find this a bit of a dull 'hack' to carry out - great, I can switch someone's Aga on or off."
I wonder how many there are installed in the UK? It seems from the article that collecting a list of the phone numbers for all them isn't al that difficult. Are there enough to cause issues if every iTOTAL Aga in the UK all turned on at once during peak demand? Like a really cold winters day in December when pretty much the entire country also happens to be becalmed, nary a windmill stirring.
Because that would cost the customer. While in principle, charging someone who can afford an 18K+ cooker would seem like a good idea, it's also a good idea not to p*** off a customer who has paid out a chunk of change. Aga swallow the cost of the text messages.
"Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned.
All the hijackers need is the phone numbers of the appliances."
The use of SMS or even simple dialup to control devices such as hall heating systems has been around for some decades: If you know the phone number you can turn the heating on/off in my local village hall.
Which is who did design it.
No hassle, fail safe cooking.
Designed by a man for men to cook with. *
Now I'd say Agaphiles come in 2 types. The hard core minimalists and the trendies. I can't see the hard core buying one of these (why would turn an Aga off?). The trendies OTOH bought theirs because everyone was doing it. So they'll buy this IoT b***ocks if they can be convinced it's "the next big thing."
*As for energy efficiency at circa £5K a pop they are built like tanks and flooded with insulation. It may take a while to get up to operating temperature(s) but having done so I expect it to "cruise" with fairly low heat input.
We made the mistake of getting a Rangemaster some years ago.The control knobs fall off, one half of the grill has dies and I can't be bothered to fix it and I'm not getting them in, the build quality ain't great, and the hot plate isn't. Shoulb have gone Belling. We have two sets of friends with them and they're amazing so when we re-do the kitchen thats what I'm getting.
Indeed, the Rangemaster group must have paid over the odds for Aga/Rayburn when they were fashionable only to see their investment collapse as the greens took over and pilloried Aga and Rayburn users. Mainly Aga users as they were perceived as being well off and thus a target for envy. All the modern stuff from Rangemaster seems to be afflicted. I recently bought a Leisure sink for our new kitchen. The one I bought nearly 30 years ago for our old house was well made and still going strong when I sold it. The new sink is poorly made and very badly finished. No more Rangemaster stuff for me!
In reasonable time?
My nice USA electric oven can whip out a pizza in about 20 minutes from a cold start. If you start the oven as you order the take & bake one, it can take less, as the travel time is about the same as the warm up.
Get out the beer and have at it. Don't need this multi-door monstrosity that thinks it is hot all the time. How do you clean the beast?
Biting the hand that feeds IT © 1998–2019