Hackers discovered a bug that gave them access to user info and allowed them to remotely open and close garage doors from Internet-of-Things brand Nexx, as Motherboard reports. Nexx’s wi-fi controllers connect to common garage door openers, turning existing hardware into networked devices that owners can operate from anywhere in the world.
- All 12 Gran Turismo Games Ranked From Worst to Best
- The Cars That You Think Would Be Better Topless
- 2024 Mercedes GLS Adds a Bit of Power and a Controversial Steering Wheel
Now, hackers may also operate these wi-fi enabled garage doors due to a bug found by cybersecurity researcher Sam Sabetan, who tells Motherboard that he was able to intercept sensitive data sent from the Nexx wi-fi controller to the company’s U.S.-based servers:
Sabtean made a video proof-of-concept of the hack. It shows him fist opening his own garage door as expected with the Nexx app. He then logs into a tool to view messages sent by the Nexx device. Sabetan closes the door with the app, and captures the data the device sends to Nexx’s server during this action.
With that, Sabetan doesn’t just receive information about his own device, but messages from 558 other devices that aren’t his. He is now able to see the device ID, email address, and name linked to each, according to the video.
Sabetan then replays a command back to the garage through the software—rather than the app—and his door opens once again. Sabetan only tested this on his own garage door, but he could have remotely opened other users’ garage doors with this technique.
The specific exploit was not described in detail in order to protect users who may still be vulnerable to the hole in the app’s security. What’s worse, the flaw applies to other devices that the company sells, including wi-fi enabled alarms and smart plugs. Again, these devices are all integrated into the Nexx app, so it’s possible for hackers to intercept their data and possibly even control them as the video shows. Cool wheels on that Scion FR-S, by the way.
On top of being able to open and close garage doors and possibly enter someone’s home, hackers could also disable Nexx alarms and even power down anything connected to power outlets that are networked via Nexx controllers.
This specific bug has gone unaddressed for months, according to Sabetan, who says he’s attempted to reach out to Nexx repeatedly since discovering the weakness. The company has been unresponsive to the white hat’s reports so far.
Sabetan adds that support staff at the company did finally respond to an inquiry that he framed as seeking “help with his own Nexx product.” Technically, that’s true since the researcher needed help with his Nexx product — as well as whatever others exhibit the same security flaw. Nexx support promptly replied to his request for “help”, but Sabetan said, “Great to know your support is alive and well and that I’ve been ignored for two months.”
It is possible that messages sent to the help desk are screened and then sent to different departments. But Nexx has also reportedly ignored contact attempts from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. This subsection at Homeland published an advisory about the Nexx devices this week, but Nexx has failed to officially acknowledge the issue.
Nexx has neither responded to the bug reports from Sabetan, nor released a patch in the meantime. That’s just the reality of the constantly connected world we live in, where so-called smart homes can be rendered unsafe by a device that promises to make life more convenient and, ostensibly, safer to begin with.
Nexx talks up the worth of its garage door controllers by saying it will help rid you of the anxiety in wondering whether you left the garage door open. We’ve reached out for comment, and will provide an update if Nexx replies.