A market-leading garage door controller is so riddled with serious security and privacy vulnerabilities that the researcher who discovered it advises anyone who uses one to unplug it immediately until they are fixed.
Every $80 device used to open and close garage doors and control home security alarms and smart plugs uses the same easy-to-find universal password to communicate with Nexx servers. The controllers also transmit each other’s unencrypted email address, device ID, name, and corresponding last initial, along with the message required to open or close a door or turn a smart plug on or off or schedule said command. for later. time.
Immediately disconnect all Nexx devices
The result: Anyone with moderate technical background can search the Nexx servers for a given email address, device ID, or name, and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) The commands allow you to open a door, turn off a device connected to a smart plug, or deactivate an alarm. Worse, for the past three months, Texas-based Nexx staff have not responded to multiple private messages warning of the vulnerabilities.
“Nexx has consistently ignored attempts at communication from me, the Department of Homeland Security, and the media,” the researcher who discovered the vulnerabilities wrote in a statement. message posted on tuesday. “Device owners should immediately unplug all Nexx devices and create support tickets with the company asking them to fix the issue.”
The researcher estimates that more than 40,000 devices, located in residential and commercial properties, are affected and more than 20,000 people have active Nexx accounts.
Nexx controllers allow people to use their phones or voice assistants to open and close their garage doors, either on demand or at scheduled times of the day. The devices can also be used to control home security alarms and smart plugs used to remotely turn appliances on or off. The center of this system are the servers operated by Nexx, to which both the phone or voice assistant and the garage door opener are connected. The five-step process for enrolling a new device looks like this:
- The user uses the Nexx Home mobile app to register their new Nexx device with Nexx Cloud.
- Behind the scenes, Nexx Cloud returns a password for the device to use for secure communications with Nexx Cloud.
- The password is transmitted to the user’s phone and sent to the Nexx device via Bluetooth or Wi-Fi.
- The Nexx device establishes a separate connection to the Nexx Cloud using the password provided.
- The user can now operate their garage door remotely using the Nexx mobile app.
This is an illustration of the process:
An easy-to-find universal password
For all of this to work, the controllers use a lightweight protocol known as MQTT. Short for Message Queuing Telemetry Transport, it is used in low-bandwidth, high-latency, or unstable networks to promote efficient and reliable communication between devices and cloud services. To do this, Nexx uses a publish-to-subscribe modelin which a single message is sent between the subscribed devices (the phone, the voice assistant and the garage door opener) and a central intermediary (the Nexx cloud).
Researcher Sam Sabetan discovered that the devices use the same password to communicate with the Nexx cloud. Furthermore, this password can be easily obtained simply by analyzing the firmware shipped with the device or the communication back and forth between a device and the Nexx cloud.
“Using a universal password for all devices presents a significant vulnerability, as unauthorized users can gain access to the entire ecosystem by obtaining the shared password,” the researcher wrote. “By doing so, they could compromise not only the privacy but also the security of Nexx customers by monitoring their garage doors without their consent.”
When Sabetan used this password to access the server, he quickly found not only communications between his device and the cloud, but also communications for other Nexx devices and the cloud. That meant it could filter other users’ email addresses, last names, initials, and device IDs to identify customers based on the unique information shared in these messages.
But it gets even worse. Sabetan could copy messages issued by other users to open its doors and reproduce them at will, from anywhere in the world. That meant that a simple cut and paste operation was enough to control any Nexx device no matter where it was located.
Below is a proof-of-concept video demonstrating the trick:
This event brings to mind the well-worn cliché that the S in IoT, short for the generic term Internet of Things, stands for security. While many IoT devices provide convenience, a large number of them are designed with minimal security protections. Outdated firmware with known vulnerabilities and the inability to update are typical, as are myriad flaws, such as scrambled credentials, authorization bypasses, and faulty authentication verification.
Anyone using a Nexx device should seriously consider disabling it and replacing it with another, although the usefulness of this advice is limited as there is no guarantee that the alternatives will be more secure.
With so many devices at risk, the US Cybersecurity and Infrastructure Security Agency issued a warning which suggests that users take defensive measures, including:
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
- Locate networks of control systems and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the latest version available. Also recognize that VPN is only as secure as your connected devices.
Of course, those measures are impossible to implement when using Nexx controllers, which brings us back to the general insecurity of IoT and Sabetan’s advice to simply get rid of the product unless or until a fix comes along.