A series of vulnerabilities in Nexx’s smart garage door opener controllers – which could be remotely hacked by attackers from anywhere in the world – were discovered by security researcher Sam Sabetan. Despite multiple attempts to report the vulnerabilities to Nexx, the company has not responded for months and has not fixed the issue. These critical security flaws mean that attackers could open Nexx doors at random, potentially exposing garage contents and homes to opportunistic thieves. The vulnerabilities could also be used as part of a targeted attack against a particular garage using Nexx’s security system.
Nexx offers a Wi-Fi-enabled garage door controller that can connect to a user’s existing garage door opener allowing them to conveniently activate it remotely through a smartphone app. The company ran campaigns on Kickstarter, with an emphasis on easy-to-use products that work with items already owned by the customer. Sabetan demonstrated the hack by opening his own garage door with the Nexx app and then capturing the data the device sent to Nexx’s server during this action.
The security researcher was then able to replay a command back to the garage through software (rather than the app) and the door opened once again. He only tested this on his own garage door, but with the demonstration, he showed that he could have remotely opened other users’ garage doors with the same technique. The Company behind the product has declined to fix the vulnerabilities, which could have serious consequences for its customers. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has already published an advisory about security issues.
Sabetan tried to contact Nexx about the issues but to no avail. The company has ignored vulnerability reports and failed to respond to attempts to warn it of the issues. He also contacted Nexx’s support team, posing as a customer needing assistance with his own Nexx product, and the team responded promptly.
Filed in . Read more about Cybersecurity.