A market-leading garage door controller is so riddled with serious security and privacy vulnerabilities that the researcher who discovered them advises anyone using one to immediately unplug them until they are fixed.
Every $80 device used to open and close garage doors and control home security alarms and smart plugs uses the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name and last initial along with the message needed to open or close a door, plug in or out a smart plug switch or to schedule such a command for a later time. time.
Immediately disconnect all Nexx devices
The result: Anyone with an average technical background can search Nexx servers for a given email address, device ID or name and then issue commands to the corresponding controller. (Nexx home security alarm controllers are susceptible to a similar class of vulnerabilities.) Commands allow opening a door, turning off a device connected to a smart plug, or turning off an alarm. Even worse, over the past three months, staff at Texas-based Nexx have failed to respond to multiple private messages warning of the vulnerabilities.
“Nexx has consistently ignored communications attempts by myself, the Department of Homeland Security and the media,” the researcher who discovered the vulnerabilities wrote in a post published Tuesday. “Device owners should immediately disconnect all Nexx devices and create support tickets with the company asking them to resolve the issue.”
The researcher estimates that more than 40,000 devices located in residential and commercial properties are affected and that more than 20,000 individuals have active Nexx accounts.
Nexx controllers allow people to use their phones or voice assistants to open and close their garage doors, on command or at scheduled times of the day. The devices can also be used to control home security alarms and smart plugs used to turn devices on or off remotely. The hub of this system are servers managed by Nexx, to which both the telephone or voice assistant and the garage door opener connect. The five-step process for enrolling a new device is as follows:
- The user uses the Nexx Home mobile app to register their new Nexx device with the Nexx Cloud.
- Behind the scenes, the Nexx Cloud returns a password that the device can use for secure communication with the Nexx Cloud.
- The password is sent to the user’s phone and sent to the Nexx device via Bluetooth or Wi-Fi.
- The Nexx device makes an independent connection to the Nexx Cloud using the provided password.
- The user can now remotely control his garage door with the Nexx Mobile App.
This is an illustration of the process:
A universal password that is easy to find
To make all this work, the controllers use a lightweight protocol known as MQTT. Short for Message Queuing Telemetry Transport, it is used in low-bandwidth, high-latency, or otherwise unstable networks to promote efficient and reliable communication between devices and cloud services. To do this, Nexx uses a publish-to-subscribe model, where a single message is sent between subscribed devices (the phone, voice assistant, and garage door opener) and a central broker (the Nexx cloud).
Researcher Sam Sabetan discovered that devices use the same password to communicate with the Nexx cloud. In addition, this password is easily obtained by simply analyzing the firmware that came with the device or the back-and-forth communication between a device and the Nexx cloud.
“Using a universal password for all devices represents a significant vulnerability, as unauthorized users can access the entire ecosystem by obtaining the shared password,” the researcher wrote. “By doing so, they could compromise not only the privacy, but also the safety of Nexx’s customers by operating their garage doors without their consent.”
When Sabetan used this password to access the server, he soon found communication not only between his device and the cloud, but also communication for other Nexx devices and the cloud. That meant he could search the email addresses, last names, initials and device IDs of other users to identify customers based on unique information shared in those messages.
But it gets worse. Sabetan could copy messages from other users to open their doors and replay them at will – anywhere in the world. That meant a simple cut-and-paste operation was all it took to control any Nexx device, no matter where it was.
A proof-of-concept video demonstrating the hack follows:
This event is reminiscent of the worn-out cliché that the S in IoT – an abbreviation of the umbrella term Internet of Things – stands for security. While many IoT devices offer convenience, a frightening number of them are designed with minimal security measures. Outdated firmware with known vulnerabilities and inability to update are typical, as are numerous flaws such as hard-coded credentials, authorization evasion, and faulty authentication verification.
Anyone using a Nexx device should seriously consider switching it off and replacing it with something else, although the usefulness of this advice is limited as there is no guarantee that the alternatives will be any safer.
With so many devices at risk, the US Cybersecurity and Infrastructure Security Agency has issued an advisory suggesting that users take defensive measures, including:
- Minimize network exposure for all operating systems and/or systems, and ensure they are not accessible over the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from corporate networks.
- When remote access is required use secure methods such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize that VPN is only as secure as the connected devices.
Those measures are, of course, impossible to implement when using Nexx controllers, which brings us back to the overall uncertainty of IoT and Sabetan’s advice to simply ditch the product unless or until a fix comes along.