Nexx smart devices have been found to have multiple vulnerabilities that could potentially compromise user privacy and security. Hackers could exploit these security issues to control garage doors, disable home alarms or smart plugs.
Independent security researcher Sam Sabetan discovered these vulnerabilities and attempted to report them to Nexx, but the vendor has yet to acknowledge or fix them. (https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc)
There are reportedly at least 40,000 Nexx devices, making the severity of the security problem all the more pressing. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, highlighting the severity of the situation. (https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01)
The most severe vulnerability, tracked as CVE-2023-1748, is due to Nexx Cloud setting a universal password for all newly registered devices via the Android or iOS Nexx Home mobile app.
Five CVE's have been assigned in total:
USE OF HARD-CODED CREDENTIALS CWE-798 (CVE-2023-1748)
AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 (CVE-2023-1749)
AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 (CVE-2023-1750)
IMPROPER INPUT VALIDATION CWE-20 (CVE-2023-1751)
IMPROPER AUTHENTICATION CWE-287 (CVE-2023-1752)
The following versions of Nexx Smart Home devices are affected:
- Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
- Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
- Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior
To mitigate the risk of these attacks, users should disable internet connectivity for Nexx devices, place them behind firewalls, and isolate them from mission-critical networks. If remote access is necessary, it should only be done through a VPN connection that encrypts data transmissions.
This discovery of multiple vulnerabilities in Nexx smart devices highlights the need for vendors to prioritize security in the development and deployment of these devices. Users should also take necessary precautions to protect their privacy and security while using smart devices, particularly in light of the growing trend towards internet of things (IoT) devices.