![smart-ovens-are-doing-dumb-checks-for-internet-connectivity-[hackaday]](https://i0.wp.com/upmytech.com/wp-content/uploads/2023/02/108438-smart-ovens-are-doing-dumb-checks-for-internet-connectivity-hackaday.jpg?resize=800%2C289&ssl=1)
Smart Ovens Are Doing Dumb Checks For Internet Connectivity [Hackaday]
If you’ve ever worked in IT support, you’ll be familiar with users calling in to check if the Internet is up every few hours or so. Often a quick refresh of the browser is enough to see if a machine is actually online. Alternatively, a simple ping or browsing to a known-working website will tell you what you need to know. The one I use is koi.com, incidentally.
When it comes to engineers coding firmware for smart devices, you would assume they have more straightforward and rigorous ways of determining connectivity. In the case of certain smart ovens, it turns out they’re making the same dumb checks as everyone else.
“Just Go To Google, Dude”
As reported by The Register, software architect Stephan van Rooij was recently astounded by the behavior of his new AEG home devices. Van Rooij had purchased the AEG Built In Combination Microwave and AEG Oven, which both hilariously feature Wi-Fi in devices that traditionally have no need for connectivity. He had no need for their Wi-Fi features, and purchased them unaware they were even available.
Upon hooking up the devices to his home network, Van Rooij found some curious behaviour. The devices were regularly querying various popular websites to determine whether an internet connection was available or not. The AEG devices were routinely checking google.com every five minutes. As a further surprise though, the devices would also send repeat queries to baidu.cn and yandex.ru on the same timetable. If you’re unfamiliar with these websites, they are popular search engines in China and Russia respectively. Van Rooij was able to capture this activity as he had a Pi-Hole setup blocking ads on his home network.
While a quick ping is a perfectly cromulent way of testing your connectivity, it’s a little lazy for manufacturers to rely on such a check. It’s fundamentally a dereliction of responsibility to expect Google to handle your connectivity checks for you. Companies like Microsoft, Google, and Apple maintain their own endpoints for checking internet connectivity. They don’t simply ping some random website that has been deemed popular enough to never go offline. Worse, the appliances already have a cloud API for talking to AEG’s servers. Van Rooij contends that the company should run its own connectivity check through this method, rather than sending data to search firms overseas.
The odd pings are not the only issue that Van Rooij draws with the oven’s cloud connectivity, either. The whole purpose of the internet connectivity is to provide the devices with some form of remote control, via an app. On the surface of it, this appears highly useful. For example, it could be used to set the oven to begin pre-heating while you’re driving home from the grocery store. It could also provide phone notifications when a timer is up and your meal is done cooking.
However, the oven’s overbearing security measures are set up in a way that makes the remote control feature largely useless. Van Rooij explains that every time the oven door is closed, the user is asked whether they would like to enable remote control. A button must be pressed to enable remote control every time the oven is closed. There is no way to permanently enable remote control. Thus, if one forgets to press the button, there is simply no way to remotely activate the oven at all, as the app will refuse to turn the oven on. On the surface of it, this may seem like a wise security measure. However, as Van Rooij points out, even if a malicious actor could turn your oven on remotely, there shouldn’t be any real consequences beyond some wasted energy. If it’s dangerous to run the oven too long, a simple timeout feature would be enough protection. He also points out that a PIN entry through the app would be enough security to prevent children accidentally turning on the oven from their parents phone, if that’s a real concern the company has.
Overall, the story paints a familiar picture: poorly thought-out “smart” features that work poorly and are implemented with odd shortcuts. We’ve written more stories about IoT security issues than you can shake a stick at. There’s obviously some value in having an oven you can turn on over the Internet. Whether it’s enough to justify the curious internet traffic and the janky user experience is another question entirely.