Garage Door Openers Are Vulnerable to Hijacking Due to Unpatched Security Weaknesses

Garage Door Openers Are Vulnerable to Hijacking Due to Unpatched Security Weaknesses

According to the US Cybersecurity and Infrastructure Security Agency (CISA), Nexx’s garage door controllers, smart plugs, and smart alarms have cybersecurity flaws that might allow hackers to break into homes and open garage doors, take over smart plugs, and manage smart alarms remotely. The CISA is recommending Nexx users to disconnect vulnerable devices until the security flaws are fixed, but there has been no word on when the patch will be released.

Furthermore, despite the fact that independent cybersecurity researcher Sam Sabetan claimed to have informed Nexx of multiple vulnerabilities in late 2022, the firm has not yet responded. Nexx did not respond to a request for comment from the media, either.

The three main Nexx Internet of Things (IoT) products included in the CISA’s April 4 alert are:

  1. Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior;
  2. Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior; and
  3. Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior.

According to CISA, there are five vulnerabilities in the Nexx products, with the top one having a critical CVSS vulnerability severity score of 9.3.

  1. CVE-2023-1748: Using credentials that are hard-coded CWE-798 (CVSS 9.3)
  2. CVE-2023-1749: Bypassing authorization with a user-controlled key, CWE-639 (CVSS 6.5)
  3. CVE 2023-1750: Authorization bypass via a user-controlled key, CWE-639 (CVSS 7.1)
  4. CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)
  5. CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)

Sabetan and CISA said users are advised to disconnect impacted devices until Nexx releases a fix. Sabetan stated in his disclosure that if you are a Nexx client, it is highly recommended that you disconnect your devices and get in touch with Nexx to ask about corrective action. Consumers must demand more robust security standards from manufacturers and be informed of the possible threats IoT devices pose.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.