Sign in Subscribe
By LincolnCyber in CISA

Critical Security Vulnerabilities Found in Nexx Smart Devices, Putting User Privacy and Safety at Risk.

Critical Security Vulnerabilities Found in Nexx Smart Devices, Putting User Privacy and Safety at Risk.
Photo by Logan Meis / Unsplash

Nexx smart devices have been found to have multiple vulnerabilities that could potentially compromise user privacy and security. Hackers could exploit these security issues to control garage doors, disable home alarms or smart plugs.

Independent security researcher Sam Sabetan discovered these vulnerabilities and attempted to report them to Nexx, but the vendor has yet to acknowledge or fix them. (https://medium.com/@samsabetan/the-uninvited-guest-idors-garage-doors-and-stolen-secrets-e4b49e02dadc)

There are reportedly at least 40,000 Nexx devices, making the severity of the security problem all the more pressing. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, highlighting the severity of the situation. (https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01)

The most severe vulnerability, tracked as CVE-2023-1748, is due to Nexx Cloud setting a universal password for all newly registered devices via the Android or iOS Nexx Home mobile app.

Five CVE's have been assigned in total:

  • USE OF HARD-CODED CREDENTIALS CWE-798 (CVE-2023-1748)

  • AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 (CVE-2023-1749)

  • AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639 (CVE-2023-1750)

  • IMPROPER INPUT VALIDATION CWE-20 (CVE-2023-1751)

  • IMPROPER AUTHENTICATION CWE-287 (CVE-2023-1752)

The following versions of Nexx Smart Home devices are affected:

  • Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
  • Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
  • Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior

To mitigate the risk of these attacks, users should disable internet connectivity for Nexx devices, place them behind firewalls, and isolate them from mission-critical networks. If remote access is necessary, it should only be done through a VPN connection that encrypts data transmissions.

This discovery of multiple vulnerabilities in Nexx smart devices highlights the need for vendors to prioritize security in the development and deployment of these devices. Users should also take necessary precautions to protect their privacy and security while using smart devices, particularly in light of the growing trend towards internet of things (IoT) devices.

Links:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01
https://nvd.nist.gov/vuln/detail/CVE-2023-1748
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1749
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1750
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1751
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1752

Previous

7 Effective Strategies to Prevent Phishing Attacks: How to Protect Your Sensitive Information

 Next

Defending Against Web-based Attacks: How Web Application Firewalls (WAFs) Keep Your Applications Safe

You might also like...