IoT garage door exploit allows for remote opening attack

A popular and reasonably cheap garage door controller is making waves in the news, and not in a good way. Ars Technica reports that the $80 devices created by Nexx are suffering from a number of security issues which could compromise the safety of your home.

A Medium post by researcher Sam Sabetan reveals the details.

At the tail end of 2022, Sam discovered a “series of critical vulnerabilities” in the Nexx range of smart devices. These issues not only affected garage door openers, but also smart plug switches and alarms too.

Working with the US Cybersecurity and Infrastructure Security Agency (CISA), five CVEs were eventually assigned. As per the advisory, successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information or hijack devices and not a huge amount of technical ability is required to perform the attacks.

Developers keep making the hard coded password mistake

What are some of the issues at play here? Well, one of the biggest is that hard coded credentials are used to talk to Nexx servers. What this means is that the password shipped with the product can never be changed. If someone finds out what it is, either from a list online or by socially engineering the victim, the game is indeed up.

As Ars Technica notes, this alongside controllers broadcasting unencrypted email addresses along with messages needed to open or close doors all means a fairly easy win for a competent attacker. Indeed, someone could potentially open your garage door from the other side of the planet if they wanted to. Sabetan estimates that somewhere in the region of more than 40,000 devices might be impacted by this issue, both commercial and residential users.

Additional vulnerabilities include smart alarm impersonation, which would allow attackers to ultimately control the branded home alarm system that the Nexx smart alarm controller operates.

Elsewhere, we have smart alarm hijacking which could allow an attacker to essentially remove all control from a home alarm out of the owner’s hands, granting them full access in the process.

The suggested fix: replace these devices

This is all very bad. Worse, Sabetan reports that Nexx has “consistently ignored communication attempts from myself, the Department of Homeland Security, and the media”. One has to wonder if the company is unwilling or unable to fix the issue. With this in mind, the only real advice which Sabetan has is the same as when you realise your phone is running an abandoned app. As painful as it may be to start reorganising how your physical home meshes with the digital world, it’s time to start ripping everything out and look for other home security solutions.

From the CISA mitigations page, which doesn’t go quite as far as Sabetan’s advice to remove all of the Nexx products from your home or place of business:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
  • CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

The Internet of Things can be a perilous place, and the lack of effective security in these tools we entrust our homes to is far from ideal. If you have devices and apps being used to power your home, alarms, doors, windows, or anything else, now is the time to check if those passwords are hard coded.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.