Security
Headlines
HeadlinesLatestCVEs

Headline

Garage Door Openers Open to Hijacking, Thanks to Unpatched Security Vulns

CISA is advising Nexx customers to unplug impacted devices until the security issues are addressed — but so far, it’s crickets as to patch timeline.

DARKReading
#vulnerability#hard_coded_credentials#auth

Garage door controllers, smart plugs, and smart alarms sold by Nexx contain cybersecurity vulnerabilities that could enable cyberattackers to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

And although independent cybersecurity researcher Sam Sabetan reported that he discovered several vulnerabilities in late 2022 and alerted Nexx to the issues, the company has yet to respond.

Nexx has not replied to Dark Reading’s request for comment, either.

CISA’s April 4 warning applies to three specific Nexx Internet of Things (IoT) products: Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior; Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior; and Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior.

The Nexx products have five identified vulnerabilities, according to CISA, the highest of which has a critical CVSS vulnerability severity score of 9.3.

  1. CVE-2023-1748: Use of Hard-Coded Credentials CWE-798 (CVSS 9.3)
  2. CVE-2023-1749: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 6.5)
  3. CVE 2023-1750: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 7.1)
  4. CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)
  5. CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)

Until Nexx issues a fix, Sabetan and CISA recommend that users unplug affected devices.

“If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps,” Sabetan said in his disclosure. “It is crucial for consumers to be aware of the potential risks associated with IoT devices and to demand higher security standards from manufacturers.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related news

CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published eight Industrial Control Systems (ICS) advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. Topping the list is CVE-2022-3682 (CVSS score: 9.9), impacting Hitachi Energy's MicroSCADA System Data Manager SDM600 that could allow an

CVE-2023-1748

The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

DARKReading: Latest News

Varonis Warns of Bug Discovered in PostgreSQL PL/Perl