Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs. Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to warn individuals and organizations using Nexx products about the flaws identified by the researcher. The agency said the impacted products are used by commercial facilities worldwide. Sabetan and CISA said their attempts to report the vulnerabilities to Nexx were ignored.
The researcher has discovered five types of vulnerabilities, most of which have been assigned ‘high’ or ‘critical’ severity ratings. The list of issues includes the use of hardcoded credentials, authorization bypass flaws that can be leveraged to execute unauthorized actions, information disclosure issues, and improper authentication.
In a real world attack scenario, an attacker can exploit these vulnerabilities to open or close garage doors remotely over the internet, hijack any alarm system, and turn on/off smart plugs connected to household appliances. A video demo made by the researcher shows how a hacker can obtain the information of hundreds of users.
“It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts,” Sabetan explained.
In conclusion, the Texas-based smart home product provider Nexx has ignored attempts to report serious vulnerabilities in their products, which can be exploited to remotely open garage doors, take control of alarms and even smart plugs. Researcher Sam Sabetan has discovered five types of vulnerabilities, most of which have been rated as ‘high’ or ‘critical’. The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory regarding the flaws identified by the researcher. In a real world attack, an attacker can exploit these vulnerabilities to open or close garage doors, hijack alarms, and turn on/off smart plugs.
Key Points:
- Texas-based smart home product provider Nexx has ignored attempts to report serious vulnerabilities
- Five types of vulnerabilities have been identified, most of which have been assigned ‘high’ or ‘critical’ severity ratings
- US Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory regarding the flaws
- In a real world attack, an attacker can exploit these vulnerabilities to open or close garage doors, hijack alarms, and turn on/off smart plugs
- Over 40,000 devices, located in both residential and commercial properties, are impacted