Connected garage door openers are a convenient and quick way to add some smarts to a key part of your home, but like any other piece of smart home gear, hackers can ruin the fun. This week, a vulnerability with smart garage door openers from Nexx has been exposed, showing hackers can control your garage door remotely.
Discovered by Sam Sabetan, an independent security researcher, a vulnerability in Nexx garage door openers, alarms, and smart plugs leaves the door open to malicious third parties. This allows those third parties to connect to the products and turn them on or off, which, in the case of a garage door controller, opens or closes the door.
The vulnerability allows these products to be controlled completely remotely, from anywhere in the world, as Sabetan told Motherboard.
The implications of that sort of vulnerability should be quite obvious, with third parties able to control and, if they are nearby, potentially access your garage. With alarms, this could also leave homes at further risk. For garage door controllers, devices can be identified using an email address, deviceId, or first name and last initial.
Sabetan shows this in action through a proof-of-concept video, where he was able to control his own device, as well as over 500 others.
In a blog post, Sabetan confirmed the timeline of the discovery, with Nexx initially being notified in January of this year. The company was contacted multiple times regarding the vulnerability, including by the CISA and Vice, and never acknowledged any of the attempted points of contact, which lead to today’s public disclosure. Nexx appears to be ignoring all communications from customers regarding these vulnerabilities, as when Sabetan reached out simply regarding his product for general support, the company replied.
Update 4/7: In an email sent to customers, Nexx is pushing a software update to affected devices to “enhance security and performance.” The company doesn’t directly address the vulnerability, only saying that it will disable the device’s connection to the internet until the update has rolled out (which seems like a massive simplification of what is actually happening). The email reads in part.
We will be implementing a system update to the following product devices to enhance their security and performance: Nexx Garage (all models), Nexx Gate (all models), and Nexx Plug. It will be done in rolling batches starting today with the last batch expected by Monday, 04/10/2023, if not earlier. Your device should come back online once the update has been rolled out to it.
At Nexx, security is a top priority, and when it comes to our attention that there may be a potential security vulnerability to your device, even if it has not materialized, we take it seriously. We had to disable the device internet connection to address this issue, and we sincerely apologize for the inconvenience.
9to5Google reviewed one of Nexx’s garage door openers in 2021 as a part of our Google Home Essentials series. Given the severity of the vulnerability at play and the lack of communication from Nexx, we’ll be pulling that recommendation and updating our original post accordingly.
More on Smart Home:
- The Yeedi Vac 2 Pro is the perfect pet cleaning companion [Video]
- The SwitchBot Blind Tilt feels like a must-have
- Yale’s Assistant-connected delivery box deters porch pirates
FTC: We use income earning auto affiliate links. More.
Comments