![woman inside car using mobile phone to open garage. woman entering pin into smartphone while unlocking garage.](https://cdn.arstechnica.net/wp-content/uploads/2023/04/garage-door-opener-800x534.jpg)
Getty Images
A market-leading garage door controller is riddled with serious security and privacy vulnerabilities so the researcher who discovered them advises anyone using one to immediately disconnect it until they are fixed.
Every $80 device used to open and close garage doors and control home security alarms and smart power plugs uses the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each other, along with the message required to open or close the door or turn the a smart plug or schedule such a command for a later time.
Immediately unplug all Nexx devices
The result: Anyone with a modest technical background can search the Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow opening a door, turning off a device connected to a smart plug, or disarming the alarm. Worse, over the past three months, staff for Texas-based Nexx have not responded to numerous private messages warning of vulnerabilities.
“Nexx continues to ignore communication attempts from myself, the Department of Homeland Security, and the media,” wrote the researcher who discovered the vulnerabilities in a post published on Tuesday. “Device owners should immediately unplug all Nexx devices and create support tickets with the company asking them to fix the issue.”
The researcher estimates that more than 40,000 devices, located in residential and commercial properties, were affected and more than 20,000 individuals have active Nexx accounts.
Nexx controllers allow people to use their phones or voice assistants to open and close their garage doors, either on command or at set times of the day. The devices can also be used to control home security alarms and smart plugs used to remotely turn appliances on or off. The hub of this system is servers operated by Nexx, to which the telephone or voice assistant and garage door opener are connected. The five-step process for enrolling a new device looks like this:
- The user uses the Nexx Home mobile app to register their new Nexx device to the Nexx Cloud.
- Behind the scenes, Nexx Cloud returns a password for the device to be used for secure communications with Nexx Cloud.
- The password is sent to the user’s phone and sent to the Nexx device using Bluetooth or Wi-Fi.
- The Nexx device establishes an independent connection to the Nexx Cloud using the provided password.
- The user can now operate their garage door remotely using the Nexx Mobile App.
This is a description of the process:
![](https://cdn.arstechnica.net/wp-content/uploads/2023/04/nexx-opener-illustration.gif)
Sam Sabetan
A universal password that is easy to find
To do all this, controllers use a lightweight protocol known as MQTT. Short for Message Queuing Telemetry Transport, it is used in low-bandwidth, high-latency, or otherwise unstable networks to promote efficient and reliable communication between devices and cloud services. To do this, Nexx uses a publish-to-subscribe modelwhere a message is sent between the subscribed devices (the phone, voice assistant, and garage door opener) and a central broker (the Nexx cloud).
Researcher Sam Sabetan found that the devices use the same password to communicate with the Nexx cloud. Furthermore, this password can be easily obtained simply by examining the firmware shipped with the device or the back-and-forth communication between a device and the Nexx cloud.
“The use of a universal password for all devices presents a significant vulnerability, as unauthorized users can access the entire ecosystem by obtaining a shared password,” the researcher wrote. “In doing so, they could compromise not only the privacy but also the safety of Nexx customers by controlling their garage doors without their consent.”
When Sabetan used this password to access the server, he quickly saw not only communications between his device and the cloud but also communications for other Nexx devices and the cloud. That means he can check other users’ email addresses, last names, first initials, and device IDs to identify customers based on the unique information shared in these messages.
But it’s still getting worse. Sabetan can copy messages given by other users to open their doors and replay them at will—from anywhere in the world. That means a simple cut-and-paste operation is enough to control any Nexx device no matter where it is located.
A proof-of-concept video demonstrating the hack follows:
NexxHome Smart Garage Vulnerability – CVE-2023-1748.
This event brings to mind the tired cliché that the S in IoT—short for the umbrella term Internet of Things—stands for security. While many IoT devices provide convenience, an alarming number of them are designed with minimal security protections. Outdated firmware with known vulnerabilities and the inability to update are common, as are numerous flaws such as hardcoded credentials, authorization bypass, and incorrect authentication verification.
Anyone using a Nexx device should seriously consider disabling it and replacing it with something else, although the usefulness of this advice is limited as there is no guarantee that alternatives will be safer.
With so many devices at risk, the US Cybersecurity and Infrastructure Security Agency released an advice which suggests that users take defensive measures, including:
- Minimizing network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locating control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), identify VPNs that may have vulnerabilities and should be updated to the latest version available. Also recognize that a VPN is only as secure as the devices it’s connected to.
Of course, those measures are impossible to deploy when using Nexx controllers, which brings us back to the general insecurity of the IoT and Sabetan’s advice to simply remove the product unless or until a fix comes along. arrangement.