The market-leading garage door control unit is riddled with such severe security and privacy vulnerabilities that the researcher who discovered it advises anyone using it to unplug it immediately until it can be fixed.
Each $80 device to open and close garage doors, control home security alarms, and smart power plugs uses the same easy-to-find generic password to communicate with the Nexx servers. The controllers also broadcast the unencrypted email address, device ID, and corresponding first and last name to each one, along with the message required to open or close the door, turn on or off the smart plug, or schedule such a command for a later time.
Disconnect all Nexx devices immediately
The result: anyone with a moderate technical background could search the Nexx servers for an email address, device ID, or name and then issue commands to the associated console. (Nexx controllers for home security alarms are vulnerable to a similar class of vulnerabilities.) Commands allow the door to be opened, a device connected to a smart plug to be turned off, or the alarm to be disarmed. Even worse, over the past three months, Texas-based Nexx employees have not responded to multiple private messages warning of vulnerabilities.
Written by the researcher who discovered vulnerabilities in Last posted on Tuesday. “Device owners should disconnect all Nexx devices immediately and create support tickets with the company asking them to address the issue.”
The researcher estimates that more than 40,000 devices, located in residential and commercial properties, have been affected and more than 20,000 individuals have active Nexx accounts.
Nexx controllers allow people to use their phones or voice assistants to open and close garage doors, either on demand or at specific times of the day. The devices can also be used to control home security alarms and smart plugs used to remotely turn appliances on or off. The centerpiece of this system are servers run by Nexx, to which both the phone or voice assistant and garage door opener communicate. The five-step process for registering a new device looks like this:
- The user uses the Nexx Home mobile app to register the new Nexx device with the Nexx Cloud.
- Behind the scenes, Nexx Cloud returns a device password for use in secure communications with Nexx Cloud.
- The password is sent to the user’s phone and sent to the Nexx device using Bluetooth or Wi-Fi.
- The Nexx device establishes a separate connection with the Nexx Cloud using the provided password.
- The user can now operate the garage door remotely using the Nexx Mobile App.
Here is an explanation of the process:
A generic password that is easy to find
To do all this work, the consoles use a lightweight protocol known as MQTT. Short for Message Queuing Remoting, it is used in low-bandwidth, high-latency, or otherwise unstable networks to promote efficient and reliable communication between devices and cloud services. To do this, Nexx uses a Post Subscription Formwhere a single message is sent between the shared devices (phone, voice assistant, garage door opener) and a central medium (the Nexx cloud).
Researcher Sam Sabetan found that devices use the same password to communicate with the Nexx cloud. Furthermore, this password can easily be accessed simply by analyzing the firmware that shipped with the device or the back-and-forth communication between the device and the Nexx cloud.
“Using a common password for all devices is a major security vulnerability, as unauthorized users can gain access to the entire ecosystem by obtaining the shared password,” the researcher wrote. “By doing so, they can compromise not only the privacy but also the safety of Nexx customers by controlling their garage doors without their consent.”
When Sabetan used this password to access the server, he quickly found not only connections between his machine and the cloud, but connections to other Nexx devices and the cloud. This means that it can sift through other users’ email addresses, last names, first initials, and device identifiers to identify customers based on the unique information shared in those messages.
But things are getting worse. Sabetan can copy messages issued by other users to open their doors and replay them at will – from anywhere in the world. This means that a simple cut and paste operation was enough to control any Nexx device, no matter where it is.
Here is a proof-of-concept video showing the hack:
This event brings to mind the well-worn cliché that the S in IoT — short for the umbrella term Internet of Things — stands for security. While many IoT devices offer convenience, an alarming number are designed with minimal security protections. Outdated firmware with known vulnerabilities and inability to update is typical, as are myriad flaws such as encrypted credentials, authorization bypass, and false authentication checks.
Anyone using a Nexx device should seriously consider disabling it and replacing it with something else, although the usefulness of this advice is limited since there is no guarantee that the alternatives will be any more secure.
With so many devices at risk, the US Cybersecurity and Infrastructure Security Agency has issued a Advisor She suggests users take defensive actions, including:
- Minimize network exposure to all control system devices and/or systems, and ensure that they are It cannot be accessed from the Internet.
- Locating control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPN), to identify which VPNs may have vulnerabilities and should be updated to the latest version available. Also, know that a VPN is only as secure as its connected devices.
Of course, it’s impossible to deploy these procedures when using Nexx consoles, which brings us back to the general insecurity of the Internet of Things and Sabetan’s advice to simply abandon the product unless a fix arrives or until it arrives.