Cybersecurity is important when you’re casually surfing the internet, but with many IoT devices finding their way into our daily lives, the emphasis on online security has never been greater. We recently sawLastPass succumb to a Plex vulnerability, but the threat is greater if bad actors gain remote access to your smart power outlets, lights, door locks, and garage door openers. Alarmingly, Nexx, a popular smart home hardware brand, has multiple vulnerabilities in its system allowing remote operation of its smart garage openers.
Nexx is a well-known gadgets brand operating in the US, selling smart garage door openers,alarm systems, and smart plugs. The garage door openers simply work with your existing hardware, enabling operation via Wi-Fi. Unfortunately, security researcherSam Sabetanrecentlyapprised Motherboardof multiple vulnerabilities in Nexx systems that could allow hackers to open garage doors remotely around the world.
The researcher shows that opening their garage door with the Nexx Home app is easy enough, but almost anyone can capture the data stream between the Nexx device and company servers. This data is sent using a Message Queue Telemetry Transport (MQTT) stream, commonly used on smart home devices. The researcher’s tool captures this data while using the app to close the garage door, but instead of receiving information from their own device, Sabetan also receives messages for 558 other Nexx devices.
The additional data includes device IDs, email addresses, and names. you’re able to see where this is going, because any bad actor can easily use names and email IDs to identify someone and their residence, and then use the garage door hack to gain entry into their home. The remote trigger capability of this hack is an added danger, because you may never know why your garage door keeps opening and closing autonomously. Pets left in empty garage spaces could also be let loose if hackers open the door. Sabetan summarized their findings in an unlisted YouTube video as well, submitted as a proof of concept to Nexx.
Since this is an active vulnerability, Sabetan didn’t delve into greater detail, but the bigger worry here is the affected brand’s nonchalance. The security researcher shared their findings with Nexx in January and even escalated the matter to Nexx’s founder, but the company didn’t respond to Sabetan’s communication. However, the support team confirmed its existence when Sabetan contacted them as an average Nexx user, proving the company’s willful ignorance of a grave security risk.
To mitigate the active risk to consumers, Sabetan worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA) to assign five CVEs (identifier tags) to the active vulnerabilities. Nexx also ignored CISA and Motherboard’s independent attempts to elicit a response. As a result, the CISA hasissued a public advisory, but the loopholes are still wide open.
If you have Nexx smart home hardware, we strongly suggest you disconnect the device from your garage door opener to avert potential security incidents. If you cannot live without one, consider perusingour favorite smart garage door openers.
