Jump to content
  • Hackers can open Nexx garage doors remotely, and there's no fix

    alf9872000

    • 492 views
    • 4 minutes
     Share


    • 492 views
    • 4 minutes

    Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.

     

    There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix.

     

    The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx's API.

     

    The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.

     

    A video showing the impact of the security flaw, tracked as CVE-2023–1748, is available below. It could be used to open any Nexx-controlled garage door. 

     

     

    On January 4, independent security researcher Sam Sabetan published a writeup about the flaws, explaining how an attacker could leverage them in real life.

     

    It is estimated that there are at least 40,000 Nexx devices associated with 20,000 accounts. Due to the severity of the security problem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published a relevant alert.

     

    CISA warns owners of Nexx products that attackers could access sensitive information, execute API requests, or hijack their devices.

    Vulnerability details

    Sabetan discovered the vulnerabilities listed below, which affect Nexx Garage Door Controllers NXG-100B and NGX-200 running version nxg200v-p3-4-1 or older, the Nexx Smart Plug NXPG-100W running version nxpg100cv4-0-0 and older, and Nexx Smart Alarm NXAL-100 running version nxal100v-p1-9-1 and older.

     

    • CVE-2023-1748: Use of hardcoded credentials in the mentioned devices, allowing anyone to access the MQ Telemetry Server and control any customer’s devices remotely. (CVSS score: 9.3)
    • CVE-2023-1749: Improper access control on API requests send to valid device IDs. (CVSS score: 6.5)
    • CVE-2023-1750: Improper access control allowing attackers to retrieve device history, information, and change its settings. (CVSS score: 7.1)
    • CVE-2023-1751: Improper input validation, failing to correlate the token in the authorization header with the device ID. (CVSS score: 7.5)
    • CVE-2023-1752: Improper authentication control allowing any user to register an already registered Nexx device using its MAC address. (CVSS score: 8.1)

     

    mac-address.jpg

    Hijacking an account using the device's MAC address (Sabetan)

     

    The most severe of the five flaws, CVE-2023-1748, is the result of Nexx Cloud setting a universal password for all newly registered devices via the Android or iOS Nexx Home mobile app.

     

    api-leak.jpg

    API response leaking account credentials (Sabetan)

     

    This password is available on both the API data exchange and the firmware shipped with the device, so it is easy for attackers to obtain it and send commands to the devices via the MQTT server, which facilitates communication for Nexx’s IoTs.

     

    mqtt.jpg

    Publicly available MQTT data (Sabetan)

     

    Despite the researcher’s multiple attempts to report the flaws to Nexx, all messages remained without a reply, causing the issues to remain unpatched.

     

    “Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers” - Sam Sabetan

     

    BleepingComputer has independently contacted Nexx to request a comment on the above, but we have not received a response by the time of publication.

     

    In the meantime, to mitigate the risk from these attacks until a fixing patch is made available by the vendor, it is recommended to disable internet connectivity for your Nexx devices, place them behind firewalls, and isolate them from mission-critical networks.

     

    If it is necessary to access or control Nexx devices remotely, only do so through a VPN (virtual private network) connection that encrypts the data transmissions.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...