Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.
There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix.
The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx’s API.
The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.
A video showing the impact of the security flaw, tracked as CVE-2023–1748, is available below. It could be used to open any Nexx-controlled garage door.
On January 4, independent security researcher Sam Sabetan published a writeup about the flaws, explaining how an attacker could leverage them in real life.
It is estimated that there are at least 40,000 Nexx devices associated with 20,000 accounts. Due to the severity of the security problem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published a relevant alert.
CISA warns owners of Nexx products that attackers could access sensitive information, execute API requests, or hijack their devices.
Sabetan discovered the vulnerabilities listed below, which affect Nexx Garage Door Controllers NXG-100B and NGX-200 running version nxg200v-p3-4-1 or older, the Nexx Smart Plug NXPG-100W running version nxpg100cv4-0-0 and older, and Nexx Smart Alarm NXAL-100 running version nxal100v-p1-9-1 and older.
- CVE-2023-1748: Use of hardcoded credentials in the mentioned devices, allowing anyone to access the MQ Telemetry Server and control any customer’s devices remotely. (CVSS score: 9.3)
- CVE-2023-1749: Improper access control on API requests send to valid device IDs. (CVSS score: 6.5)
- CVE-2023-1750: Improper access control allowing attackers to retrieve device history, information, and change its settings. (CVSS score: 7.1)
- CVE-2023-1751: Improper input validation, failing to correlate the token in the authorization header with the device ID. (CVSS score: 7.5)
- CVE-2023-1752: Improper authentication control allowing any user to register an already registered Nexx device using its MAC address. (CVSS score: 8.1)
The most severe of the five flaws, CVE-2023-1748, is the result of Nexx Cloud setting a universal password for all newly registered devices via the Android or iOS Nexx Home mobile app.
This password is available on both the API data exchange and the firmware shipped with the device, so it is easy for attackers to obtain it and send commands to the devices via the MQTT server, which facilitates communication for Nexx’s IoTs.
Despite the researcher’s multiple attempts to report the flaws to Nexx, all messages remained without a reply, causing the issues to remain unpatched.
“Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers” – Sam Sabetan
BleepingComputer has independently contacted Nexx to request a comment on the above, but we have not received a response by the time of publication.
In the meantime, to mitigate the risk from these attacks until a fixing patch is made available by the vendor, it is recommended to disable internet connectivity for your Nexx devices, place them behind firewalls, and isolate them from mission-critical networks.
If it is necessary to access or control Nexx devices remotely, only do so through a VPN (virtual private network) connection that encrypts the data transmissions.