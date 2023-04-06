Security researcher Sam Sabetan has uncovered numerous severe security vulnerabilities in the systems of one of the world’s leading providers of smart garage door controllers — Nexx.

Sabetan analyzed Nexx’s smart device product line in late 2022 and found critical flaws in the company’s garage door openers, alarms, and smart plugs.

The vulnerabilities could allow attackers to easily open and close garage doors, control alarm systems, and turn smart plugs on or off.

One of the big problems is that all of Nexx’s garage door controllers use the same easy-to-find universal password to communicate with the company’s servers.

“Using a universal password for all devices presents a significant vulnerability, as unauthorized users can access the entire ecosystem by obtaining the shared password,” Sabetan explained.

“In doing so, they could compromise not only the privacy but also the safety of Nexx’s customers by controlling their garage doors without their consent.”

“In addition to being widely available in Nexx’s API, the hardcoded password is also publicly available in the firmware shipped with the device.”

Furthermore, the controllers also broadcast the unencrypted email address, device ID, first name, and last initial linked to each controller, as well as the message needed to operate the devices or schedule commands for later.

“Smart garage controllers can be searched for and opened based on an email address, deviceId, or first name and last initial,” Sabetan explained.

The alarm controllers were found to be susceptible to similar vulnerabilities.

Nexx keeps quiet

Sabetan said he collaborated with the United States Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency to responsibly disclose his findings.

That resulted in the assignment of five CVEs for each of the vulnerabilities he discovered.

However, Nexx had not replied to multiple attempts at correspondence from himself, the DHS, or Vice media group to acknowledge the issues or commit to patching them.

“Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media,” said Sabetan.

Consequently, he recommended that device owners immediately unplug all Nexx devices and create support tickets with the company requesting that the issue be fixed.

“It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted,” Sabetan said.

“Furthermore, I determined that more than 20,000 individuals have active Nexx accounts.”

Sabetan posted a proof of concept video on YouTube showing how the garage door controller vulnerability could be exploited.

