The market-leading garage door control unit is riddled with security and privacy vulnerabilities so severe that the researcher who discovered it advises anyone using it to unplug it immediately until it can be fixed.
Every $80 device to open and close garage doors, control home security alarms and smart outlets uses the same easy-to-find generic password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, and corresponding first and last name to each, along with the message required to open or close the door, turn the smart plug on or off, or schedule such an order for a later date. time.
Disconnect all Nexx devices immediately
Result: Anyone with a moderate technical background can search Nexx servers for an email address, device ID, or name, and then send commands to the associated console. (Nexx controllers for home security alarms are vulnerable to a similar class of vulnerabilities.) The commands open the door, turn off a device connected to a smart plug, or disarm the alarm. Worse still, for the past three months, Texas-based Nexx employees have failed to respond to multiple private messages warning of vulnerabilities.
Written by researcher who discovered vulnerabilities in Last published Tuesday. “Device owners should disconnect all Nexx devices immediately and create support tickets with the company asking them to resolve the issue. »
The researcher estimates that more than 40,000 devices, located in residential and commercial properties, were affected and more than 20,000 people have active Nexx accounts.
Nexx controllers allow people to use their phones or voice assistants to open and close garage doors, either on demand or at specific times of day. The devices can also be used to control home security alarms and smart plugs used to turn appliances on or off remotely. The centerpiece of this system are servers managed by Nexx, with which the telephone or voice assistant and the garage door opener communicate. The five-step process for registering a new device looks like this:
- The user uses the Nexx Home mobile app to register the new Nexx device with the Nexx Cloud.
- Behind the scenes, Nexx Cloud returns a device password for use in secure communications with Nexx Cloud.
- The password is sent to the user’s phone and sent to the Nexx device via Bluetooth or Wi-Fi.
- The Nexx device establishes a separate connection to the Nexx Cloud using the provided password.
- The user can now operate the garage door remotely using the Nexx mobile app.
Here is an explanation of the process:
An easy-to-find generic password
To do all this work, consoles use a lightweight protocol called MQTT. Short for Message Queuing Remoting, it is used in low bandwidth, high latency, or otherwise unstable networks to promote efficient and reliable communication between devices and cloud services. To do this, Nexx uses a Signup Form where a single message is sent between shared devices (phone, voice assistant, garage door opener) and a central medium (the Nexx cloud).
Researcher Sam Sabetan discovered that the devices use the same password to communicate with the Nexx cloud. Additionally, this password is easily accessible simply by scanning the firmware that comes with the device or the round-trip communication between the device and the Nexx cloud.
“Using a common password for all devices is a major security vulnerability, as unauthorized users can access the entire ecosystem by obtaining the shared password,” the researcher wrote. . “By doing so, they can compromise not only the privacy but also the security of Nexx customers by controlling their garage doors without their consent. »
When Sabetan used this password to access the server, he quickly found not only connections between his machine and the cloud, but also connections to other Nexx devices and the cloud. This means it can sift through other users’ email addresses, last names, first initials, and device IDs to identify customers based on the unique information shared in those messages.
But things are getting worse. Sabetan can copy messages sent by other users to open their doors and replay them at will – from anywhere in the world. This means that a simple copy-and-paste operation was enough to control any Nexx device, no matter where it is.
Here is a proof of concept video showing the hack:
This event brings to mind the well-worn cliché that the S in IoT – short for the umbrella term Internet of Things – stands for security. While many IoT devices provide convenience, an alarming number are designed with minimal security protections. Outdated firmware with known vulnerabilities and inability to update is typical, as are myriad flaws such as encrypted credentials, authorization bypass, and fake authentication checks.
Anyone using a Nexx device should seriously consider disabling it and replacing it with something else, although the usefulness of these tips is limited as there is no guarantee that the alternatives will be any safer.
With so many devices at risk, the US Cyber and Infrastructure Security Agency has issued an advisory suggesting users take defensive measures, including:
- Minimize network exposure to any control system devices and/or systems and ensure they are not accessible from the Internet.
- Locating control system networks and remote devices behind firewalls and isolating corporate networks.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), to identify VPNs that may have vulnerabilities and need to be updated to the latest available version. Also know that a VPN is only as secure as its connected devices.
Of course, it is impossible to deploy these procedures when using Nexx consoles, which brings us back to the general insecurity of the Internet of Things and Sabetan’s advice to simply abandon the product until a fix arrives or until it arrives.