Nexx smart home devices vulnerable to exploits

April 21, 2023 - TuxCare PR Team

A handful of faults in Nexx’s smart home gadgets that hackers can exploit are estimated to put over 40,000 residential and commercial premises at danger.

This allows them to unlock doors, turn off appliances, and disarm alarms, among other things. Even though the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and Sam Sabetan, who found the holes, sought to assist remedy the issues for three months, the device’s maker apparently refused to respond.

Due to the lack of reaction, Sabetan and CISA have now made the facts public so that consumers can reduce their risk. Sabetan recommends that consumers “immediately unplug all Nexx devices.”

On April 4, CISA indicated that it was unaware of any particular exploits targeting these vulnerabilities. However, now that the information are out, the situation might swiftly alter. Nexx garage door controllers (NXG-100B, NXG-200), Nexx smart plugs (NXPG-100W), and Nexx smart alarms (NXAL-100) are all affected by the five vulnerabilities.

CVE-2023-1748 is the most critical problem, for which Nexx smart home gadgets use hard-coded credentials. Malicious people can steal these credentials from Nexx’s mobile app or firmware and use them to remotely access any stranger’s Nexx gear.

These credentials can be used by an unauthenticated attacker to gain access to Nexx’s Message Queuing Telemetry Transport (MQTT) server. Nexx garage door controllers, smart plugs, and other IoT devices employ this communications protocol.

Attackers can view all MQTT communications and issue orders to manipulate other people’s garage doors and power connectors from there. In a YouTube video, Sabetan demonstrated how to exploit this issue to remotely unlock garage doors.

Sabetan also warns that because Nexx smart plugs are vulnerable to this flaw, hackers could turn on and off household appliances connected to these plugs, including security cameras.

Two other vulnerabilities, CVE-2023-1749 and CVE-2023-1750, are insecure direct object reference (IDOR) vulnerabilities. This means that the devices don’t perform sufficient checks when given instructions, so an attacker only needs someone’s NexxHome deviceId to control their smart home device via the Nexx API.

A third flaw, CVE-2023-1751, is due to improper input validation. The affected devices use a WebSocket server to manage messages between Nexx’s cloud and the devices. However, the server does not properly validate whether the bearer token in the authorization header belongs to the device trying to connect to the cloud. This could allow any Nexx user with a valid authorization token from a single device to control any smart home alarm.

Finally, CVE-2023-1752 allows someone to register an already-registered home alarm using the device’s MAC address. This enables the attacker to gain full access to the device and arm or disarm the alarm, as it is removed from the original owner’s account.

Sabetan reported the flaws to Nexx via the vendor’s support website on January 4. “Efforts to reach Nexx include support tickets from various accounts, a public phone number found through OSINT, personal email addresses from FCC filings, social media posts on Twitter and Facebook, as well as government and media involvement,” he noted. CISA began trying to contact the IoT device maker later in January. After several failed attempts over the next few months, on March 16, the agency issued an advisory due to the lack of support from the manufacturer.

The sources for this piece include an article in TheRegister.

Summary