‘Smart’ Garage Door Company Nukes Key Feature After Ignoring Vulnerability For Months
from the that's-one-way-to-fix-it dept
It will never stop being humorous uncovering just how many smart products are run by dumb companies. If you’re going to roll out a product that connects to the internet, you would think that the very basics of IT/internet security in those products would be taken into account. You would also think that there would be intelligent contingency plans proactively thought out for when something inevitably goes wrong or the unexpected is uncovered.
Meet Nexx. Nexx makes smart garage door openers that allow you to control your garage door via an app either over an internet connection or, if you’re close by, over Bluetooth. A researcher named Sam Sabetan uncovered a series of vulnerabilities within the app itself, which allowed him to get information not just about his own Nexx device, but about a ton of others as well.
Sabtean made a video proof-of-concept of the hack. It shows him fist opening his own garage door as expected with the Nexx app. He then logs into a tool to view messages sent by the Nexx device. Sabetan closes the door with the app, and captures the data the device sends to Nexx’s server during this action.
With that, Sabetan doesn’t just receive information about his own device, but messages from 558 other devices that aren’t his. He is now able to see the device ID, email address, and name linked to each, according to the video. Sabetan then replays a command back to the garage through the software—rather than the app—and his door opens once again. Sabetan only tested this on his own garage door, but he could have remotely opened other users’ garage doors with this technique.
Sabetan believes that this would allow him to open the garage doors for pretty much any Nexx customer. Additionally, it appears that Nexx makes an app allowing for control over a home’s power outlets, too, which he could also manipulate using this technique. This is all obviously a massive security threat, which is why Sabetan contacted Nexx about it.
Nexx ignored him. For months. Worried his messages weren’t getting through, Sabetan then opened a new ticket for support on his device and was contacted back. In response, he again asked Nexx to take a look at the original ticket he’d open for the vulnerability. Nexx again did not respond, which is when Sabetan took the story to Motherboard.
“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.
The response from Nexx finally came, but not to Sabetan. Instead, Nexx simply nuked the entire IoT function of the product, rendering the only method for opening a Nexx garage door to doing so over Bluetooth. It then put this message out to its customers.
“It has come to our attention of a potential internet security vulnerability with the following products: Nexx Garage, Nexx Gate, and Nexx Plug,” an email sent by the company, called Nexx, to customers, reads according to a post on Hacker News. A member of a Facebook Page for Nexx customers wrote a post saying they received a similarly worded email. “As we examine the issue, we are taking proactive action by temporarily disabling internet access remote control” for the products, the message continues.
Nexx and I appear to have a serious deviation in terms of our definition of the word “proactive.” This is all very, very reactive, and it’s causing a bunch of confusion and anger with Nexx’s clients.
“I have two NXG100 units that both stopped working at the same time last night. I disconnected power and reconnected just to see if that would reset it…. that didn’t work,” one impacted customer wrote on the Nexx Community Facebook page. “If they don’t address their security vulnerabilities, it might be time to move onto another product,” the customer added in another post.
And now Nexx is ducking Motherboard’s repeated follow-ups trying to get some kind of comment from the company. If you’re a Nexx customer, or a potential one, this likely won’t set your mind at ease, having a product’s key feature disabled and having security concerns such as this addressed so poorly.
Filed Under: garage doors, iot, smart garage, vulnerabilities
Companies: nexx
Comments on “‘Smart’ Garage Door Company Nukes Key Feature After Ignoring Vulnerability For Months”
Why do people buy this shit?
Re:
Because you can’t see the pig (or cat) until you’ve already bought the poke.
Re:
Because people search “magic widget” on Rainforest, sort by cheapest price, click “Buy.”
Nexx Garage
They have already released new firmware to fix this. This news is over a week old. This post is 7+ days late.
Re:
It is still news to me ..
that there is no whatcouldpossiblygowrong dept at this business.
Re: "They have already released new firmware to fix this."
You don’t know if they’ve actually properly fixed it, nor do you know if they’ll properly respond to the next vulnerability report, nor do the rest of us, so keeping their lax behaviour in the limelight is fully justified.
I can see the anger/confusion. But if Nexx actually looked at their code and determined it was as bad as a lot of code I have seen, shutting down all internet connectivity would be a very sane thing to do (at least for the months or more it would take to rewrite all the effected software).
Now I have no clue how their stack looks, it could be better or worse. My point is: it is not definitive that Nexx’s reaction is an overreaction.
Re:
Ignoring the person reporting the problem for MONTHS isn’t something I see as an action taken by a company on the up and up.
The “hack” wasn’t that hard to get and well one dude decided to try it so the odds are in the favor someone else discovered it & didn’t report or might have shortly.
They sold a product with a feature that they didn’t appear to have done any testing on & the response is to brick the units with hand waving about if & when people might get back the features that helped them decide what product to purchase.
The fact a customer tried the ever popular turn it on and off support solution on their own means they weren’t doing a good job contacting customers that this was coming.
All of their products used the same server that didn’t sound like it had much security on it which doesn’t give one much hope they have the staff who could repair the code to work like it should.
Hey on the upside, this probably blew up their future plans to create a monthly fee to keep the features you had when you bought it.
Re: Re:
Well, my original comment shouldn’t be taken as a defensive of Nexx. Only that we should (figuratively) burn them for the things they got wrong (which you covered much of).
Their final reaction may well have been the correct call. If your going to make IoT-ish stuff, you have to meet the bare minim of security best practice, else you risk being soundly mocked[1] by security experts, and anyone non-ignorant of basic software security best practice. Unfortunately I don’t think most IoT vendors could not care less about the mocking.
[1] This should also trigger something lick criminal negligence, or fraud. Unfortunately the US seems to have no interest in protecting customers (and our infrastructure I guess) against products are so badly insecure.
Re: Re: Re:
Didn’t think you were defending them, just annoyed to see this happen yet again.
(Insert my spiel about being an immortal and humans never learning always thinking they are to smart to make the same mistake yet again.)
They just grabbed something that would do what they wanted without giving it much more thought which is a horrible idea.
See also: Many card skimmers all use the same BT chip and no one bothered to change the name it displays so there literally was an app to detect nearby skimmers that just looked for the default ID.
The idiocy of this is that it’s so easy these days to set up a webservice and make a SOAP call to that webservice using secure http. You don’t need write your own encryption. Obviously you still wouldn’t want to send anything back to the client that compromises other devices, but it looks like in this case they weren’t even encrypting the traffic.
Re:
I think you’re forgetting about key/certificate management, the need to gather entropy (thus increasing the hardware cost), and the fact that all this complexity is aimed at solving a problem that few people have ever had.
Well, I did once live with the type of person who’d turn around after 10 minutes of driving to check that they turned off the stove and closed the garage door. But, otherwise, does anyone have a pressing need to communicate with such devices when not near them? Security is probably the only thing about the standard hardware-store door-openers that needs improving, and adding an internet connection obviously doesn’t help with that.
Who's up for a security nightmare?
Excuse the fuck out of me, but all of you (so far) have missed the point, namely – why in all creation is some personal device sending any data to some wild-ass server, allegedly controlled by a johnny-come-lately IoT company?????? Talk about ripe for exploitation and abuse….. Jesus H. Fucking Christ on a jumped-up Pogo stick!!
Your own home network router can do the job just fine, and possibly Bluetooth can do it at a reasonable distance as well. But I defy anyone to give me a good reason to be able to open your own garage door from across the city/state/planet. Oh, wait… you forgot to close it this morning, you were so late getting to work, is that it bunky? And what did you do to rectify that situation prior to buying one of these first-place-losers at a local hack-a-thon, hmmmm? That’s right, you lived with it, and either hoped/prayed that no one diddled your home, or you left work and yadda yadda yadda.
As said above, how in HELL did we as a society become so stupid that we build locks that evoke “Oh, look – shiny! It must be good!”, and then have the gall to wonder “how did this happen” when someone proves those locks to be worthless. Answer me that, if you please.
Re:
Yeah, the standard range of Bluetooth 5 in 40 metres—but Wikipedia says up to 400 is sometimes possible. Really, all a person normally needs is about 10, and using an app to operate the door at a longer range is effectively illegal in many areas—can’t operate a phone while driving on a public road. So Bluetooth doesn’t add much compared to the “standard” 300-400 MHz door opener protocols.
I think most of us would’ve called a neighbor. An auto-close feature could also be useful without internet, though I’m sure some people would lock themselves out and then maybe it would be made illegal in California (where at least 5 people died because they couldn’t figure out how to open their garage doors without electricity).
If something talks to a wi-fi or cellular network, the buyers expect to throw it out within a few years. It’d be a little surprising to get much beyond 5 years, and shocking to get to 10. Presumably, that makes it more profitable than the standard opener, many of which were sold in the 1980s and never replaced.
“I have two NXG100 units that both stopped working at the same time last night. I disconnected power and reconnected just to see if that would reset it…. that didn’t work,” one impacted customer wrote on the Nexx Community Facebook page. “If they don’t address their security vulnerabilities, it might be time to move onto another product,” the customer added in another post.
Cue Nexx setting up another company and selling that person the same-ass product rebranded.
will bet
its a packet size requirement.
They just bundle up ?? data and send it with your code on top. Insted of adding filler.
And the car in the garage is unlocked too! Washing machine is jealous, wants door unlocked too.
“Smart” Garage Door Company, dumb developers.
Maybe they could ask “greenluigi1” to hack their car’s infotainment system so the Nexx garage door opens via Bluetooth as soon as the car is close enough ?
Samsung Engineer has Product idea:
“Hey ChatGPT, how would I develop an internet-connected garage door opener app, just like Nexx”s, but without the security vulnerability?”
Firmware Stock, esphome and tasmota.
What they should do is release there firmware and put it on github as open source.
nxg-100 is a Sonoff Basic ESP8266 they flashed with there custom firmware and put there Simpaltek name on. Can be flashed with Tasmota or esphome and programed to work the same way but without Nexx Cloud service.
nxg-200 is probably another clone but uses ESP32-D0WDQ6. Not sure if it can be flashed, didn’t find any info on esphome or tasmota about it. But the 4 pins and GPIO01 is there for flashing.
Not sure what the nxg-300 or there other devices have in them.
Nexx seems to be ignoring lots of support tickets
One of my tickets merely asked for info on what tiny connectors are needed to hookup a wired door sensor to my NXG-300, or if they could sell me another cable. I’ve seen no response for a week so far, and their ticket management system’s chat option at https://help.getnexx.com/portal/en/home seems to persistently say “We’re Offline / Leave a message” … which one can do if they wish to amplify their being neglect.
Sad. They evidently have nobody who knows how to communicate with the public in a timely and business-preserving manner. 🙁
Re:
The type of plug they use that goes into the nxg-300 is just a JST-ZH or JST-PH. But the wired door sensor is a normal Magnetic type that you would find on any home security system for windows.
I doubt they will get back to you. You are better off trying to find the sensor on amazon or ebay.