Continuing our series on really rather poor security choices on part of device manufacturers who offer some sort of remote functionality: how about controlling a high-end oven and range with SMS messages?
Among the security issues he says he found is the fact that SMS messages - which are used by the system to turn the oven on or off - are not authenticated by the cooker.
Nor is the Sim card set up to send the messages validated on registration.
I’m not even sure what the rationale behind this was. Certainly, once you have a 2G signal to receive SMS, you’ll also have enough bandwidth for the trickle of data needed to convey this information, but you can layer encryption etc on top. Doing completely unauthenticated SMS controls seems ludicrous. The only security defense you have is the hope that people don’t find out what the phone number of the embedded SIM module is.
And of course, the manufacturer, much like in the Miele bug, proved unable to respond to security disclosure. Again, requiring manufacturers and distributors of connected devices to have a Single Point of Contact for security-related inquiries and disclosures seems more sensible by the day.