Andrew Heinzman
Just a few years ago, Nexx was among the most popular smart garage controller brands. But things have changed. Nexx doesn’t receive a ton of attention these days. And due to newly-discovered vulnerabilities, remaining customers should unplug their Nexx devices and consider a different brand.
Update, 4/7/23: On April 6th, Nexx emailed customers to warn of a “potential internet security vulnerability” in its Garage, Gate, and Plug products. It took the “proactive” measure of removing remote internet access from these products. Now, Nexx says it has a fix for this security issue.Starting today, Nexx will roll out a security update to all affected products. This rollout will take until April 10th, “if not earlier,” to reach all users. For what it’s worth, Review Geek stands by the position it took when originally publishing this article.
Security researcher Sam Sabetan uncovered “a series of critical vulnerabilities” that affects all Nexx smart home products (minus the Nexx Alarm). These vulnerabilities, which are already assigned CVEs, are the result of a major security oversight in Nexx’s MQTT implementation; every Nexx device uses the same password to connect with Nexx’s cloud servers.
What’s worse, this password is freely available in the Nexx app API (and it’s been published online). Anyone can use this password to gain remote control over a Nexx smart product. So, if your garage door is controlled through Nexx, don’t be surprised if it starts to randomly open and close.
If a hacker takes Nexx’s MQTT vulnerability to the fullest extent, they can retrieve the personal information of all Nexx account holders. This personal data include device IDs, first names, and email addresses. So, it’s very easy for hackers to target specific individuals.
“Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.” – Sam Sabetan
Nexx should have recognized this vulnerability on its own. But more importantly, it should have responded to emails from Sabetan, Homeland Security, and VICE. The company intentionally avoided correspondence, and for this reason, all remaining Nexx customers should consider switching to a new brand. (For what it’s worth, Nexx’s social media presence has been practically non-existent since 2020, and Sabetan found that the company only has about 20,000 active users. Nexx doesn’t appear to be in great health.)
Even if these problems are resolved, Review Geek cannot recommend a smart home company that intentionally neglects the privacy, security, and safety of its customers. We have revised all previous coverage of Nexx (of which there is very little) to address today’s story.
Nexx emailed customers about this vulnerability on April 6th. It also removed remote internet functionality from all affected Nexx devices in anticipation of a fix. Now, Nexx is rolling out a security patch that will reach all customers by April 10th. We’ve reached out to the company for a comment. You can read Sam Sabetan’s full security report on Medium.
Source: Sam Sabetan
