It's this easy to seize control of someone's Nexx 'smart' home plugs, garage doors

A handful of bugs in Nexx's smart home devices can be exploited by crooks to, among other things, open doors, power off appliances, and disable alarms. More than 40,000 of these gadgets in residential and commercial properties are said to be vulnerable after the manufacturer failed to act.

After the Internet-of-Things biz reportedly ignored attempts over three months by Sam Sabetan, who discovered the vulnerabilities, and the US government's Cybersecurity and Infrastructure Security Agency (CISA) to help fix the flaws, both Sabetan and Uncle Sam have gone public with the details so users can minimize their risk.

Or better yet, as Sabetan suggests, "immediately unplug all Nexx devices."

The Register tried to contact Nexx for this story, and the manufacturer didn't respond to our requests, either.

As of April 4, CISA said it wasn't aware of exploits that specifically target these vulnerabilities, though now that details are out there, that may change quickly.

The five vulnerabilities affect Nexx garage door controllers (NXG-100B, NXG-200) with firmware version nxg200v-p3-4-1 and prior; Nexx smart plugs (NXPG-100W) version nxpg100cv4-0-0 and prior; and Nexx smart alarms (NXAL-100) version nxal100v-p1-9-1 and prior.

CVE-2023-1748 is the most serious flaw, and it received a 9.3 out of 10 CVSS severity score. Essentially, vulnerable Nexx smart home products use hard-coded credentials. Miscreants can easily obtain these magic creds from Nexx's mobile app or firmware, and use them to access any stranger's Nexx hardware remotely.

An unauthenticated attacker can use these credentials to access Nexx's Message Queuing Telemetry Transport (MQTT) server — MQTT is the messaging protocol Nexx garage door controllers, smart plugs, and other IoT devices use. From there, the miscreant can see all MQTT messages for Nexx's customers and devices, and send commands to control strangers' garage doors and power plugs.

This is the vulnerability Sabetan said can be exploited to remotely open garage doors, and he shared a video about it on YouTube.

Because Nexx smart plugs are vulnerable to this flaw, miscreants could turn on and off household appliances connected to these plugs, "or even security cameras," Sabetan added.

The next two vulnerabilities, CVE-2023-1749 and CVE-2023-1750 are insecure direct object reference (IDOR) vulnerabilities. That's a fancy way of saying the devices don't perform sufficient checks when told to do something. In this case, an attacker just needs someone's NexxHome deviceId to send instructions to that person's smart home device, via the Nexx API, and the hardware will just obey it.

A third flaw, CVE-2023-1751, is due to improper input validation. The affected devices use a WebSocket server to manage messages between Nexx's cloud and the devices.

The server, however, doesn't properly validate if the bearer token in the authorization header belongs to the device trying to connect to the cloud. This could allow any Nexx user with a valid authorization token from a single device to control any smart home alarm.

• Hey Siri, use this ultrasound attack to disarm a smart-home system
• Smart ovens do really dumb stuff to check for Wi-Fi
• Nice smart device – how long does it get software updates?
• Swatting suspects charged with subverting Ring doorbell cams and calling cops

Finally, CVE-2023-1752 allows someone to register an already-registered home alarm using the device's MAC address. "As a result, the device is removed from the original owner's account, allowing the attacker to gain full access and arm or disarm the alarm," Sabetan said. 

After finding the flaws, Sabetan reached out to Nexx via the vendor's support website on January 4. "Efforts to reach Nexx include support tickets from various accounts, a public phone number found through OSINT, personal email addresses from FCC filings, social media posts on Twitter and Facebook, as well as government and media involvement," he noted. 

CISA began trying to contact the IoT device maker later in January. After several more failed attempts over the next few months, on March 16 the agency issued an advisory due to the lack of support from the manufacturer. ®