Nexx garage door remote controller: Vulnerability allows access for hackers

[German]Anyone who owns a Nexx home automation system and uses it to remotely control their garage doors now has a fat problem. A vulnerability in the Nexx remote control allows hackers to gain unauthorized access to the garage doors. They can then remotely access this control, open the garage door and possibly enter the garage or even buildings via this route. Unfortunately, there is no countermeasure against such manipulations.

Nexx home automation

Nexx is a US provider that advertises intelligent solutions for garage door control, alarm systems, etc. in the home automation sector. The website advertises, among other things, how easy the products are to use. The manufacturer calls this Smart Living.

Nexx offers simple home automation with products designed to work with things people already own. Each Nexx device has built-in technology that connects to the Internet via an existing home router and Wi-Fi, according to the vendor.

Of course, there's an app that can then be used to control garage access via garage door control remotely, via WiFi and the Internet, from anywhere in the world. The app works with voice assistants like Siri, Google devices, Amazon Echo and other Alexa-enabled devices like CoWatch to allow users to control connected devices with just their voice ("Hey, Siri… open my garage.").

The Nexx Home app then communicates with Nexx devices via "the cloud," giving users complete control from anywhere in the world, according to the manufacturer's promotional pages. The servers for the cloud are located in the U.S.

The vendort advertises that the data is fully protected by industry-standard encryption. The encryption is so strong that not even Apple or Google can get at your data, they say.

Vulnerability in Nexx garage door controller

Unfortunately, this brave new world is about to be "pulverized" in terms of security, as there is a vulnerability in the Nexx garage door controller that allows attackers to remotely open and manipulate garage doors from anywhere in the world. So to speak, the "Nexx garage door control with the license to open" – and there is no countermeasure.

The colleagues from Bleeping Computer point this out in the above tweet and in this article. There is not only one vulnerability, but the experts from Nexx, according to their own statement "specialists in their field", have overlooked several vulnerabilities in their concept. There are five publicly disclosed vulnerabilities, ranging in severity from medium to critical, that the manufacturer has not yet confirmed or fixed. These vulnerabilities in Nexx smart devices can be exploited to control garage doors, disable home alarms or smart plugs.

Security researcher Sam Sabetan discovered these vulnerabilities in the Nexx devices back in 2022 and worked closely with the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to publish the research results after a certain deadline. Sabetan published the whole thing on Medium as of April 4, 2023, in the post The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets. CISA has assigned the following five CVEs:

• Use of hardcoded credentials CWE-798 (CVE-2023-1748, CVSS3.0: 9.3).
• Authorization bypass using a user-controlled key CWE-639 (CVE-2023-1749, CVSS3.0: 6.5)
• Authorization bypass using a user-controlled key CWE-639 (CVE-2023-1750, CVSS3.0: 7.1)
• Improper input validation CWE-20 (CVE-2023-1751, CVSS3.0: 7.5)
• Improper authentication validation CWE-287 (CVE-2023-1752, CVSS3.0: 8.1)

For details, see CISA publication ICSA-23-094-01. On January 4, 2023, the security researcher notified the vendor of the vulnerabilities. Nexx has not responded to any correspondence from the security researcher, DHS (CISA and US-CERT), or VICE Media Group. The security researcher writes that Nexx is intentionally ignoring all attempts to help fix the vulnerabilities and allowing these critical vulnerabilities to continue to affect device users.

A vulnerability allows an attacker to collect email addresses, device IDs and first names and thus identify Nexx users. Another vulnerability allows virtually anyone from anywhere in the world to open or close garage doors controlled by Nexx components. Smart Nexx garage controllers can be searched and opened based on an email address, a device ID, or a first and last name. Bleeping Computer colleagues have posted more details in the article here, as well as a video showing how to access a garage door via app.

Smart living interpreted in a different way, so to speak – but the manufacturer's behavior falls into the pattern I have observed of "catching the naive ones via glossy websites with promises of the simplest possible operation, integration via app and voice control", but in the background, components that are more poorly than well put together and crowsed with vulnerabilities. There is no support for fixing the vulnerabilities and after a few years, the components disappear from the market – the cloud offering is discontinued and the naive users are wide-eyed because the stuff no longer works. Since the beginning of the year, my post on D-Link has been getting comments from angry users who never want to buy a product from this manufacturer again.