According to the US Cybersecurity and Infrastructure Security Agency (CISA), Nexx’s garage door controllers, smart plugs, and smart alarms have cybersecurity flaws that might allow hackers to break into homes and open garage doors, take over smart plugs, and manage smart alarms remotely. The CISA is recommending Nexx users to disconnect vulnerable devices until the security flaws are fixed, but there has been no word on when the patch will be released.
Furthermore, despite the fact that independent cybersecurity researcher Sam Sabetan claimed to have informed Nexx of multiple vulnerabilities in late 2022, the firm has not yet responded. Nexx did not respond to a request for comment from the media, either.
The three main Nexx Internet of Things (IoT) products included in the CISA’s April 4 alert are:
- Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior;
- Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior; and
- Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior.
According to CISA, there are five vulnerabilities in the Nexx products, with the top one having a critical CVSS vulnerability severity score of 9.3.
- CVE-2023-1748: Using credentials that are hard-coded CWE-798 (CVSS 9.3)
- CVE-2023-1749: Bypassing authorization with a user-controlled key, CWE-639 (CVSS 6.5)
- CVE 2023-1750: Authorization bypass via a user-controlled key, CWE-639 (CVSS 7.1)
- CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)
- CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)
Sabetan and CISA said users are advised to disconnect impacted devices until Nexx releases a fix. Sabetan stated in his disclosure that if you are a Nexx client, it is highly recommended that you disconnect your devices and get in touch with Nexx to ask about corrective action. Consumers must demand more robust security standards from manufacturers and be informed of the possible threats IoT devices pose.
