Among the security issues he says he found is the fact that SMS messages – which are used by the system to turn the oven on or off – are not authenticated by the cooker.
Nor is the Sim card set up to send the messages validated on registration.
Mr Munro also criticised the fact that user registration for the service allows passwords as short as five characters – security experts usually recommend using as many characters as possible, with a minimum of eight.
Email addresses are sent in plain text via the system, too, he explained – meaning personal data could be vulnerable to snoopers.
He also said that attempts to contact Aga about the problems, including a tweet and emails on 3 April, fell on deaf ears.
When he did get through to someone and advised them to take the Total Control website down, he got a disappointing response.
“I asked to speak to relevant departments, they couldn’t put me through,” he said.
Third party provider
“Aga Rangemaster operates its Aga TC phone app via a third party service provider,” Aga said in a statement.
“Security and account registration also involves our [machine to machine] provider.
“We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.”
However, the firm did not comment on Mr Munro’s claims that it ignored his disclosure of the problems.
“It’s kind of unacceptable that some random person could just take control of your Aga,” said Professor Alan Woodward, a cybersecurity expert at the University of Surrey.
“Will hackers try it? Who knows, but it just shouldn’t be possible.”
He added that he was surprised there seemed to be a flat response from the firm when Mr Munro tried to raise the issues.
“If somebody calls up, ‘I found a problem with your system,’ they should look at it,” Prof Woodward told the BBC.