Nexx's line of home "security" devices uses universal passwords and broadcasts identifiers unencrypted

[Continuum]

Summary

Another IoT company doing the things that are expected of IoT devices: expose everything to the internet. Nexx has refused to respond to any communique regarding the vulnerabilities from both the security researcher who found these gaping holes and Department of Homeland Security (through whom the researcher made responsible disclosure). Any Nexx device must be disconnected from the internet at the very least.

 

 

Quotes

Quote

A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them is advising anyone using one to immediately disconnect it until they are fixed.

 

Each $80 device used to open and close garage doors and control home security alarms and smart power plugs employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.

Immediately unplug all Nexx devices

The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow the opening of a door, turning off a device connected to a smart plug, or disarming an alarm. Worse still, over the past three months, personnel for Texas-based Nexx haven’t responded to multiple private messages warning of the vulnerabilities.

 

My thoughts

Please do not trust any proprietary security device and service; If you must use IoT, go the Linus route with local server so you—the owner—is actually in control of the devices and any communications to it. If you have Nexx devices, immediately pull them offline or just remove them—alongside any other IoT on your network—from your residence and premises entirely.

 

Sources

• https://arstechnica.com/information-technology/2023/04/open-garage-doors-anywhere-in-the-world-by-exploiting-this-smart-device/
• https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc

[suicidalfranco]

more in the Internet of Toilet things.

Keep choosing convenience folks. 

[Taf the Ghost]

1 hour ago, suicidalfranco said:

more in the Internet of Toilet things.

Keep choosing convenience folks. 

At this point, the complete lack of security in most IoT products has to be viewed as an intended function. 

[Quackers101]

and these things will be connected to my phone? dayum.

Also gotta love that military encryption for 2% of its code.

[Fasterthannothing]

If your gonna use IoT devices they better be on their own vlan with zero outside connection. Then just remote in to do what you need 1000% more secure. But hey that app on your phone sure is convenient!

[MageTank]

1 hour ago, Quackers101 said:

and these things will be connected to my phone? dayum.

Also gotta love that military encryption for 2% of its code.

Gotta be careful of anything "military grade". The military loves saving money and will give their contracts to the ones that promise to do it cheaper, lol.