Vulnerability in Nexx Garage Door Opener Could Let Intruders In; Makers Ignore Calls for a Patch

A security researcher has identified vulnerabilities in several Nexx smart devices, including garage door openers, alarms and smart plugs. Unfortunately, the company ignored the findings, prompting the researcher to publish everything he found in the public domain.

Poor IoT security remains a common topic in the realm of cybersecurity, and not much has changed in the past decade, except for the industry's exponential growth. So it should surprise no-one that there are situations when vulnerabilities are found and not fixed.

Security researcher Sam Sabetan took a closer look at a few Nexx smart devices, including Smart Garage Door Openers, Alarms and Plugs. The vulnerabilities identified would let attackers open and close garage doors and smart plugs, and even take control of alarms.

"The vulnerabilities […] involve the Smart Garage Door Controller and Smart Plugs, but the Smart Alarm is also susceptible to a similar class of vulnerabilities," said Sabetan. "As a result, all Nexx devices are affected by the vulnerabilities described here. It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts."

Up to this point, the report doesn't highlight anything out of the ordinary. But it turns out that the researchers worked with the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Despite all attempts to contact the makers of these devices, including by US authorities, there was no answer.

This prompted the security researcher to publicize all vulnerabilities, publish proof of concept and share detailed information about all possible exploits.

"While I aimed to adhere to a responsible disclosure process, Nexx chose not to cooperate with me, the media, or the government, leaving these critical vulnerabilities unaddressed,” the researcher said. “If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps.”