Skip to main content

IOT SECURITYNexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

  • April 5, 2023
  • 1 reply
  • 21 views

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

Nexx has ignored repeated attempts to report critical product vulnerabilities that can be exploited to remotely open garage doors, and take control of alarms and smart plugs.

 

April 5, 2023 By Eduard Kovacs

 

Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs. 

Nexx offers smart alarms, garage door controllers, and smart plugs, all of which can be controlled remotely from a dedicated mobile application. 

Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday. 

 

>> Full Article <<

1 reply

TripleHelix
Moderator
Forum|alt.badge.img+63
  • Moderator
  • 8902 replies
  • April 9, 2023

The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets

 

Photo from Nexx’s website

Introduction

In late 2022, while conducting independent security research, I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs. These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.

I collaborated closely with The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) to responsibly disclose the research results. CISA assigned the following five CVEs:

  1. Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 9.3)
  2. Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
  3. Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
  4. Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
  5. Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)

More details can be found on CISA’s disclosure ICSA-23–094–01.

Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.

Disclosure Timeline

04 Jan 2023 — Initial contact on Nexx’s Support Website (ticket closed)
06 Jan 2023 — Follow-up on initial contact (ticket closed)
09 Jan 2023 — Reached out directly to Nexx’s founder via personal Gmail identified in FCC filings
17 Jan 2023 — Follow-up on Nexx’s Support Website
20 Jan 2023 — Opened case with CISA to coordinate efforts in reaching out to Nexx
21 Feb 2023 — Follow-up on Nexx’s Support Website, reminding them of disclosure dates
22 Feb 2023 — CISA informed me they were unable to establish contact and began escalation with their federal team
16 Mar 2023 — CISA’s federal team was unable to establish contact with Nexx; CISA recommended public advisory
22–24 Mar 2023 — VICE attempted to contact Nexx via support and social media and received no response
30 Mar 2023 — CISA confirms public advisory
04 Apr 2023 — Public release

FAQ
What is the issue at a high level?

Anyone can open garage doors belonging to others from anywhere in the world. Smart Garage Controllers can be searched for and opened based on an email address, deviceId, or first name and last initial.

Which devices are affected, and how many are impacted?

The vulnerabilities discussed in this post primarily involve the Smart Garage Door Controller and Smart Plugs, but the Smart Alarm is also susceptible to a similar class of vulnerabilities. As a result, all Nexx devices are affected by the vulnerabilities described here. It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts.

How is this issue being addressed?

Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media. Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue.

CVE-2023-1748 — Leaked Secrets and MQTT Exploitation

The Nexx Home mobile app, compatible with both Android and iOS, helps users set up their new devices. Connecting a new device to your Nexx account involves a five-step process:

  1. The user uses the Nexx Home mobile app to register their new Nexx device with the Nexx Cloud.
  2. Behind the scenes, the Nexx Cloud returns a password for the device to use for secure communications with the Nexx Cloud.
  3. The password is transmitted to the user’s phone and sent to the Nexx device using Bluetooth or WiFi.
  4. The Nexx device establishes an independent connection with the Nexx Cloud using the provided password.
  5. The user can now operate their garage door remotely using the Nexx Mobile App.

 

Full Article


Reply