Sharpen the mix / Do all kinds of tricks / Up to the pressure / Feeling the kicks

[azurelunatic]

Oven is in!

I am sure I will gather further opinions as I try to use it, but here's what we know so far.

* It has a Proof setting!!! (I had to explain this to the installation techs, who hadn't the foggiest but knew it couldn't possibly be for booze...?)
* It has a Steam setting for cleaning (Even though it's not hooked up to water, pointed out the techs) -- you pour a cup of water in the bottom and it cleans the oven with steam, not fire, so a lower temperature.
* It ... has wifi. DON'T GIVE WIFI TO FIRE. DON'T GIVE FIRE TO WIFI. We're considering downloading the app for long enough to ban the oven's MAC address from the local network at the router. (We would vaguely like to see what the oven is doing, if only that didn't entail also being able to command the oven remotely.)
-- does anyone know how to pirate the SmartHQ mothership so we can just reroute it to localhost? :D :D :D
* The alert noises it makes are not loud enough to reach the living room in all circumstances, even on the loudest setting. This could be a problem. Perhaps a problem that ought to be solved with technology. Of some kind.
* It does have a "make a noise until you physically touch the oven" setting, which is what it's on now.
* It does have Sabbath mode, K-star Star-K certified. Not that we need it, but it's good to know it's there.
* Belovedest: "Now I know what 'Hidden Backlit LCD' means." (The controls vanish when the oven is on standby. Tap the button area, or open the oven door, to light up the button area. I may put a tactile dot on the Cancel button just 'cause.)
-- I did in fact put a tactile horizontal bar sticker on the thing.
* I JUST HANDED BELOVEDEST A BLOOTOOTH DONGLE FOR HOME ASSISTANT PRAY FOR US (unless you're Evangelical, in which case I would appreciate Not)

Comments

[momijizukamori]

Proof setting!!! One of the things I wish my oven had, I think a lot of my attempts at bread have failed because I always try in the winter when the temp inside is set to like. 66F max.

If you knew what addresses it tried to hit, you could override the DNS in a hosts list I think, but only if it's not using HTTPS :|a

[azurelunatic]

I hadn't thought about https. Alas.

We may fire it up and do a sniff ;)

[momijizukamori]

On one hand I hope it's using HTTPS, but on the other, yeah, it makes investigations harder, heh.

[pauamma]

Unless I'm missing something (always possible), DNS requests and replies themselves should be in cleartext* even if the oven uses HTTPS for its web traffic proper. So you'd get the domain part of all URLs it accesses ("ovenlord.example.org" in "https://ovenlord.example.org/no/two/are/not/on/fire/"), which would be enough to bitbucket them.

* And if it uses DNS over SSL (which I think would still be unlikely for an IoT host), having the/a local name server log the DNS requests may still be possible.

[momijizukamori]

Oh, yeah, you'd get enough to blacklist it, but you wouldn't be able to get request bodies unless it doesn't do cert validation (because you need to basically man-in-the-middle the connection, which on HTTPS means you need to get the end user/oven to trust your new certificate)

[pauamma]

True. I was just thinking about devnulling, not reverse engineering. Which is probably forbidden by the EULA anyway.

Fouind this looking for something else.

[pauamma]

Turns out (surprise!) that some fridges don't validate SSL certs and are vulnerable to man-in-the-middle.

[sraun]

K-star is some Rabbi or group of Rabbi's that certifies that the Sabbath Mode puts it into a state that doesn't conflict with the lovely arcane Jewish Sabbath Work Rules. It usually means that when you turn it on before Sabbath, it stays on and does nothing automagically / on it's own until after Sabbath is done.

[azurelunatic]

Sometime in the past few years I learned that some electric scooters have Sabbath Mode! And some elevators! Which is so cool!!!

[lannamichaels]

It's not about the lovely arcane Jewish Sabbath Work Rules, since those say you can't cook. It's about the ones for holidays, where you can cook. But calling it "holiday mode" would be confusing.

[kore]

"DON'T GIVE WIFI TO FIRE" //falls out laughing

[azurelunatic]

I mean, we could possibly let the oven onto the internet if it were write-only. What's the worst it could do, flame people?

*grin, duck, run*

[senmut]

Ours is smart, sounds very similar. We've never let it connect.

Tech solution: Microphone in kitchen that is wirelessly routed to a speaker in the living room?

[azurelunatic]

We're contemplating whether we can let it connect just enough to send alerts without also being controllable. If we can make it yell directly at Home Assistant without an intermediary, Home Assistant could repeat the inputs aloud and/or change lights.

[redbird]

I just read this to cattitude and adrian_turtle. We are all agreed that "DON'T GIVE WIFI TO FIRE. DON'T GIVE FIRE TO WIFI" is good advice, albeit advice I hadn't expected anyone to need.

[hashiveinu]

We are all agreed that "DON'T GIVE WIFI TO FIRE. DON'T GIVE FIRE TO WIFI" is good advice, albeit advice I hadn't expected anyone to need.

I am in agreement as well.

[azurelunatic]

The clock has keming problems.
The screen is additionally touch. So you probably cannot actually turn off the oven with the thumb of a potholder. Unless we put fucking metal thread in the thumbs of our oven mitts.

[pauamma]

PRAY FOR US (unless you're Evangelical, in which case I would appreciate Not)

Would a light-hearted dua be OK with you?

[azurelunatic]

Yes.

[pauamma]

Will do, in about *checks clock* 5h40mn.

[domtheknight]

I do have a robot vacuum that I can command from my phone (but do not - because it sometimes needs redirecting, cleaning, etc, and I want to ensure I've picked stuff up off the floor before it starts, so I just hit the manual start button). But in general, home appliances on the internet feels extremely bad to me!

[pauamma]

Wasn't there a fridge model that could send alert emails, which was found to be an open relay about... memory says 5 years ago?

[azurelunatic]

Samsung brand, possibly?

[pauamma]

I vaguely remember a US brand, but I wouldn't be surprised if there was more than one with that glaring misconfiguration.

[azurelunatic]

I'm finding a lot of news results from January 2014, but no details on the refrigerator itself.

Some SoS entries that mention brands

[pauamma]

- https://www.schneier.com/blog/archives/2017/01/law_enforcement_1.html (LG, not the vulnerability I was thinking of)
- https://www.schneier.com/blog/archives/2016/07/real-world_secu.html and https://www.schneier.com/blog/archives/2015/08/using_samsungs_.html (Samsung, as you remembered)

[azurelunatic]

We have ours start off automatically every morning and evening (at times after when humans should be awake) so we have a chance to intervene before it encounters Cat Effluvia.

[mecurtin]

What kind of oven is this?

Yeah, I don't know what people are thinking when they let FIRE connect to the internet.

[pauamma]

https://www.fire.org/ (also https://www.thefire.org/, but that's not about fire, although flaming is probably part of what it defends).

[azurelunatic]

A GE electric conventional/convection.

[vass]

It ... has wifi. DON'T GIVE WIFI TO FIRE. DON'T GIVE FIRE TO WIFI.

NOOOOOOO.

[azurelunatic]

I told Mama that this house rule would probably have been a Dad rule, if he'd lived long enough.

[lannamichaels]

* It does have Sabbath mode, K-star certified. Not that we need it, but it's good to know it's there.

If the logo's a star with a K in it, it's Star-K, not K-Star ;)

[azurelunatic]

Written out in words in the manual and I must have transposed them in my head.

[owl]

A remotely-controllable oven seems like a clear case of "Your scientists were so preoccupied with whether they could, they didn't stop to think if they should".

[azurelunatic]

Exactly!

[kaberett]

oh this is delightful, except for all the ways in which it is merely hilarious