Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

Nexx has ignored repeated attempts to report critical product vulnerabilities that can be exploited to remotely open garage doors, and take control of alarms and smart plugs.

Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs. 

Nexx offers smart alarms, garage door controllers, and smart plugs, all of which can be controlled remotely from a dedicated mobile application. 

Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to warn individuals and organizations using Nexx products about the flaws identified by the researcher. The agency said the impacted products are used by commercial facilities worldwide.

Sabetan and CISA said their attempts to report the vulnerabilities to Nexx were ignored. SecurityWeek has also reached out to Nexx for comment.

The researcher has discovered five types of vulnerabilities, most of which have been assigned ‘high’ or ‘critical’ severity ratings. The list of issues includes the use of hardcoded credentials, authorization bypass flaws that can be leveraged to execute unauthorized actions, information disclosure issues, and improper authentication.

In a real world attack scenario, an attacker can exploit these vulnerabilities to open or close garage doors remotely over the internet, hijack any alarm system, and turn on/off smart plugs connected to household appliances. 

In order to conduct an attack, the hacker only needs the targeted user’s device ID, email address, name, or MAC address, depending on the type of device they are targeting.  

Advertisement. Scroll to continue reading.

A video demo made by the researcher shows how a hacker can obtain the information of hundreds of users.

“It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts,” Sabetan explained. 

Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors

Related: Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors

Related: Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.