PSA: A security researcher and US authorities discovered multiple severe vulnerabilities rendering Nexx smart security systems virtually toothless. Those using their devices should find another solution ASAP since Nexx has been radio-silent for two years.
Researcher Sam Sabetan, cooperating with the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), recently published several severe security risks involving Nexx smart home systems. The vulnerabilities allow attackers to quickly seize complete control over garage door openers, smart plugs, and alarm systems from anywhere on Earth.
Nexx offers devices that let users open garage doors, toggle home security systems, and switch smart power outlets on or off through a smartphone app. Earlier this year, Sabetan discovered that the devices’ connections to the company’s cloud use extremely weak security.
When a user registers the Nexx app with the company’s cloud, its servers send a password to the app and device, establishing the connection. Unfortunately, the password is identical for all users. Furthermore, it’s freely available in Nexx’s API and publicly available in each device’s firmware.
Equipped with the password, an attacker with access to Nexx’s servers can remotely open any garage door and switch off devices connected to smart plugs. They can also see users’ email addresses, device IDs, first names, and last initials, allowing hackers to target specific people.
While the home alarm doesn’t suffer from this specific vulnerability, it has two equally serious problems. Any registered Nexx user with an alarm’s MAC address can take over that alarm, and the MAC address isn’t tricky to discover. Nexx’s server doesn’t verify bearer tokens, potentially letting bad actors send signals to users’ alarms. All Nexx alarm MAC addresses begin with the same digits – 7C 9E BD F4 – making the remainder of the address easy to brute-force. Additionally, a hacker with the MAC address can hijack a registered alarm by reregistering it under a rogue account, removing access from the original user, and giving the attacker complete control over the security system.
Sabetan, the DHS, and CISA have tried contacting Nexx on multiple occasions since January with no success. The company’s mobile apps are still functional. Its social media accounts and website are still online but have logged no activity since 2021. More concerning is that Nexx’s official Twitter posted a tweet in April 2021 appearing to advertise a Web3 studio, suggesting someone else gained control of the account.
Despite signs indicating Nexx has dropped off the face of the Earth, the company’s online store still operates, and the garage door opener remains available on Amazon. Even if few new customers buy Nexx’s products, Sabetan estimates their vulnerabilities endanger 40,000 devices and 20,000 active accounts. It suggests users immediately stop using the devices and try to contact Nexx for refunds. The CISA recommends disconnecting the devices from the internet, isolating them from business networks, or accessing them through VPN.
If Nexx is defunct, it represents another case of what happens to IoT devices when manufacturers and software developers abandon their products.