Hackers can remotely tap into a particular brand of smart garage door opener controllers and open them across the world due to a series of security vulnerabilities that the brand, called Nexx, has declined to fix, according to findings from a security researcher.
The vulnerabilities pose a serious risk to users of Nexx, which offers a wi-fi enabled garage door opener controllers among other products. The researcher who discovered the issue says that Nexx has not responded to their attempts to responsibly report the vulnerabilities for months, according to a copy of an email shared with Motherboard.
“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher, told Motherboard, describing the hack.
Have you discovered any other serious vulnerabilities? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Nexx says it sells “Easy-to-use products that work with things you already own.” Its garage product connects to a person's existing garage door opener and allows them to activate it remotely through a smartphone app. “Life is complicated enough. Remembering whether or not you left your garage door open should be the least of your worries: Get peace of mind,” the company advertises on its website. Nexx has run campaigns on Kickstarter.
Sabtean made a video proof-of-concept of the hack. It shows him fist opening his own garage door as expected with the Nexx app. He then logs into a tool to view messages sent by the Nexx device. Sabetan closes the door with the app, and captures the data the device sends to Nexx’s server during this action.
With that, Sabetan doesn’t just receive information about his own device, but messages from 558 other devices that aren’t his. He is now able to see the device ID, email address, and name linked to each, according to the video.
Sabetan then replays a command back to the garage through the software—rather than the app—and his door opens once again. Sabetan only tested this on his own garage door, but he could have remotely opened other users’ garage doors with this technique.
Sabetan told Motherboard he could open doors “for any customer.”
“That’s the craziest bug. But the disabling alarm and turning on [and] off smart plugs is pretty neat too,” he added, referring to another Nexx product that allows users to control power outlets in their home.
The consequences of someone weaponzing these vulnerabilities are wide ranging and potentially a real security threat for Nexx’s customers. A hacker could open Nexx doors around the world at random, exposing their garage contents and perhaps their homes to opportunistic thieves. Pets might escape. Or customers might just get very annoyed at someone opening and closing their property with no idea of why it was happening. In more extreme cases, a hacker could use the vulnerabilities as part of a targeted attack against a particular garage that used Nexx’s security system.
Sabetan and Motherboard have repeatedly tried to contact Nexx about the issues. Sabetan said the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) told him it had attempted contact too. The company has failed to reply or fix the vulnerabilities. This means the security vulnerabilities are still available to hackers who may wish to abuse them. For that reason, Motherboard is not describing them in great detail and instead focusing on their impact to consumers. CISA published its own advisory about the security issues on Tuesday.
It appears Nexx is actively ignoring at least some inquiries trying to warn them of the vulnerabilities. After Nexx’s support email did not respond to his vulnerability report, Sabetan contacted Nexx’s support again, this time saying he was looking for help with his own Nexx product.
That time, Nexx’s support staff replied, according to a copy of the email Sabetan shared with Motherboard.
“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.