If you have a Nexx brand WiFi garage door opener, now would be a good time to uninstall it. A security researcher has discovered a number of vulnerabilities that allow hackers anywhere in the world to remotely open any Nexx-equipped garage door, and detailed it in a blog post on Medium. Worst of all, the company has made no attempt to fix things.
First reported by Motherboard, security researcher Sam Sabetan discovered the critical vulnerabilities in Nexx’s smart device product line while conducting independent security research. Although he also found vulnerabilities in Nexx’s smart alarms and plugs, it’s the WiFi connected Smart Garage Door Opener that presents the biggest issue.
As Sabetan explains it, when a user sets up a new Nexx device using the Nexx Home mobile app, it receives a password from the Nexx cloud service—supposedly to allow for secure communication between the device and Nexx’s online services using a lightweight messaging protocol called MQTT (Message Queuing Telemetry Transport). MQTT uses a communications framework called the publish-subscribe model, which allows it to work over unstable networks and on resource-constrained devices, but comes with additional security concerns.
When someone uses the Nexx app to open their garage door, the app doesn’t directly communicate with the door opener. Instead, it posts a message to Nexx’s MQTT server. The garage door opener is subscribed to the server and when it sees the relevant message, it opens the door. This enables reliable performance and means your smartphone doesn’t have to be on the same network as your garage door opener, but it’s crucial that every device using the service has a secure, unique password.
That’s not the case, though. Sabetan discovered that all of the Nexx Garage Door Controllers and Smart Plugs have the exact same password.
In a video demonstrating the hack, Sabetan shows how he was able to get the universal password by intercepting his Nexx Smart Garage Door Opener’s communications with the MQTT server. Sabetan was then able to log into the server with the intercepted credentials and see the messages posted by devices from hundreds of Nexx customers. These messages also revealed the email addresses, device IDs, and the name of the account holder.
Worse, Sabetan was able to replay the message posted to the server by his device to open his garage door. Although he didn’t, he could have used the same technique to open the garage door of any Nexx user in the world. (He could also have turned on or off their smart plugs which would have been very annoying, but not as likely to be dangerous.)
Since Nexx IDs are tied to email addresses, this vulnerability potentially allows hackers to target specific Nexx users, or just randomly open garage doors because they can. And because the universal password is embedded directly in the devices, there is no way for users to change it or otherwise secure themselves.
Sabetan estimates that there are over 40,000 affected Nexx devices, and he determined that more than 20,000 people have active Nexx accounts. If you’re one of them, the only thing you can do is unplug your Nexx devices and open a support ticket with the company.
And as damning as all this is, Nexx’s lack of response makes things even worse. Sabetan first contacted Nexx support about the vulnerability in early January. The company ignored his report despite multiple follow-ups, but responded to an unrelated support question. In February, Sabetan contacted the US Cybersecurity and Infrastructure Security Agency (CISA) to report the vulnerabilities, and even CISA wasn’t able to get a reply from Nexx. Finally, Motherboard attempted to contact Nexx before running the story revealing the vulnerability publicly—of course, it heard nothing back.
Now, CISA has issued a public advisory notice about the vulnerabilities, and Sabetan and Motherboard have described them in detail. This means everything a hacker needs to know to exploit a Nexx Garage Door Opener, Smart Plug, or Smart Alarm is out in the wild. So if you have one of these devices, go and unplug it right now.