Cybersecurity researcher Sam Sabetan yesterday went public with insecurity revelations against IoT vendor Nexx, which sells a range of “smart” devices including door openers, home alarms and remotely switchable power plugs. According to Sabetan, he reported the bugs to Nexx back in January 2023, but to no avail. So he decided to sound the alarm openly, now it’s April 2023. The warning was considered serious enough by the powers-that-be that even the resoundingly if repetitiously named US Cybersecurity and Infrastructure Security Agency, or CISA, published a formal advisory about the flaws. Sabetan deliberately didn’t publish precise details of the bugs, or provide any proof-of-concept code that would allow just anyone to start hacking away on Nexx devices without already knowing what they were doing. But from a brief, privacy-redacted video provided by Sabetan to prove his point, and the CVE-numbered bug details listed by CISA, it’s easy enough to figure out how the flaws probably came to get programmed into Nexx’s devices. More precisely, perhaps, it’s easy to see what didn’t get programmed into Nexx’s system, thus leaving the door wide open for attackers.
No password required Five CVE numbers have been assigned to the bugs (CVE-2023-1748 to CVE-2023-1752 inclusive), which cover a number of cybersecurity omissions, apparently including the following three interconnected security blunders: Hard-coded credentials. An access code that can be retrieved from the Nexx firmware allows an attacker to snoop on Nexx’s own cloud servers and to recover command-and-control messages between users and their devices. This includes the so-called device identifier – a unique string assigned to each device. The message data apparently also includes the user’s email address and the name and initial used to register the device, so there is a small but significant privacy issue here as well. Zero-factor authentication. Although device IDs aren’t meant to be advertised publicly in the same way as, say, email addresses or Twitter handles, they’re not meant to serve as authentication tokens or passwords. But attackers who know your device ID can use it to control that device, without providing any sort of password or additional cryptographic evidence that they’re authorised to access it. No protection against replay attacks. Once you know what a command-and-control message looks like for your own (or someone else’s) device, you can use the same data to repeat the request.
Sabetan used the hardwired access credentials from Nexx’s firmware to monitor the network traffic in Nexx’s cloud system while operating his own garage door. That’s how he soon discovered that: The cloud “broker” service included data in its traffic that wasn’t necessary to the business of opening and closing the door, such as email addresses, surnames and initials. The request traffic could be directly replayed into the cloud service, and would repeat the same action as it did before, such as opening or closing the door. The network data revealed the traffic of other users who were interacting with their devices at the same time, suggesting that all devices always used the same access key for all their traffic, and thus that anyone could snoop on everyone. Note that an attacker wouldn’t need to know where you live to abuse these insecurities, though if they could tie your email address to your physical address, they could arrange to be present at the moment they opened your garage door, or they could wait to turn your alarm off until they were right in your driveway, and thus use the opportunity to burgle your property.
If you have a Nexx “smart” product, contact the company directly for advice on what it plans to do next, and by when. Operate your devices directly, not via the Nexx cloud-based app, until patches are available, assuming that’s possible for the devices you own. That way you will avoid exchanging sniffable command-and-control data with the Nexx cloud servers. If you’re a programmer, don’t take security shortcuts like this. Hardcoded passwords or access codes were unacceptable way back in 1993, and they’re way more unacceptable now it’s 2023. Learn how to use public key cryptography to authenticate each device uniquely, and learn how to use ephemeral (throw-away) session keys so that the data in each command-and-control interaction stands on its own in cryptographic terms. If you’re a vendor, don’t ignore bona fide attempts by researchers to tell you about problems.
Key Points:
• Cybersecurity researcher Sam Sabetan went public with insecurity revelations against IoT vendor Nexx.
• He reported the bugs to Nexx back in January 2023, but to no avail.
• The warning was considered serious enough by the powers-that-be that even the US Cybersecurity and Infrastructure Security Agency, or CISA, published a formal advisory about the flaws.
• Five CVE numbers have been assigned to the bugs, which cover a number of cybersecurity omissions.
• Sabetan used the hardwired access credentials from Nexx’s firmware to monitor the network traffic in Nexx’s cloud system while operating his own garage door.
• If you have a Nexx “smart” product, contact the company directly for advice on what it plans to do next, and by when.
• If you’re a programmer, don’t take security shortcuts like this. Hardcoded passwords or access codes were unacceptable way back in 1993, and they’re way more unacceptable now it’s 2023.
• If you’re a vendor, don’t ignore bona fide attempts by researchers to tell you about problems.