The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets

Introduction

In late 2022, while conducting independent security research, I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs. These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.

I collaborated closely with The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) to responsibly disclose the research results. CISA assigned the following five CVEs:

1. Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 9.3)
2. Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
3. Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
4. Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
5. Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)

More details can be found on CISA’s disclosure ICSA-23–094–01.

Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.

Disclosure Timeline

04 Jan 2023 — Initial contact on Nexx’s Support Website (ticket closed)
06 Jan 2023 — Follow-up on initial contact (ticket closed)
09 Jan 2023 — Reached out directly to Nexx’s founder via personal Gmail identified in FCC filings
17 Jan 2023 — Follow-up on Nexx’s Support Website
20 Jan 2023 — Opened case with CISA to coordinate efforts in reaching out to Nexx
21 Feb 2023 — Follow-up on Nexx’s Support Website, reminding them of disclosure dates
22 Feb 2023 — CISA informed me they were unable to establish contact and began escalation with their federal team
16 Mar 2023 — CISA’s federal team was unable to establish contact with Nexx; CISA recommended public advisory
22–24 Mar 2023 — VICE attempted to contact Nexx via support and social media and received no response
30 Mar 2023 — CISA confirms public advisory
04 Apr 2023 — Public release

FAQ
What is the issue at a high level?

Anyone can open garage doors belonging to others from anywhere in the world. Smart Garage Controllers can be searched for and opened based on an email address, deviceId, or first name and last initial.

Which devices are affected, and how many are impacted?

The vulnerabilities discussed in this post primarily involve the Smart Garage Door Controller and Smart Plugs, but the Smart Alarm is also susceptible to a similar class of vulnerabilities. As a result, all Nexx devices are affected by the vulnerabilities described here. It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts.

How is this issue being addressed?

Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media. Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue.

CVE-2023-1748 — Leaked Secrets and MQTT Exploitation

The Nexx Home mobile app, compatible with both Android and iOS, helps users set up their new devices. Connecting a new device to your Nexx account involves a five-step process:

1. The user uses the Nexx Home mobile app to register their new Nexx device with the Nexx Cloud.
2. Behind the scenes, the Nexx Cloud returns a password for the device to use for secure communications with the Nexx Cloud.
3. The password is transmitted to the user’s phone and sent to the Nexx device using Bluetooth or WiFi.
4. The Nexx device establishes an independent connection with the Nexx Cloud using the provided password.
5. The user can now operate their garage door remotely using the Nexx Mobile App.

Full Article