I’m a new owner of the Anova Precision Oven. I’ve always been a big fan of the Sous Vide Precision Cookers.
I’ve used the Precision Oven a couple of times now, and a bit of a concern has come to mind. I’ll keep the concern very simple: This device can be made to generate heat over the internet without human intervention.
Just to context set, I’m not concerned about a direct hack against the company. I’m more concerned about a credential stuffing attack. We know people reuse passwords. Not everyone uses password manager generated unique passwords. I haven’t seen an option for multi-factor protection of Anova accounts. If a bad actor took the mobile app, put a debug proxy in the middle, mapped out the API, and then started playing back credentials from recent large credential dumps, eventually they could hit an Anova Precision Oven user. At that point, they could make another user’s oven turn on. That could lead to very dangerous consequences.
Other manufacturers handle this in pretty simple ways. They force a human to hit the start button to confirm actions taken from the app. Yes, it is annoying. But it’s an important safety function.
I’m curious, is there an alternative safety mechanism at play in the Anova that I haven’t noticed other than the guidance to keep space around the oven?