[ad_1]
Nexx ignored critical vulnerabilities in its smart home products.
Just a few years ago, Nexx was among the most popular smart garage controller brands. But things have changed. Nexx doesn’t get much attention these days. And due to newly discovered vulnerabilities, remaining customers should pull the plug on their Nexx devices and consider a different brand.
Security researcher Sam Sabetan discovered “a number of critical vulnerabilities” affecting all of Nexx’s smart home products (garage door openers, smart plugs, everything). These vulnerabilities, which already have CVEs assigned, are the result of significant security oversight in Nexx’s MQTT implementation; each Nexx device uses the same password to connect to the Nexx cloud servers.
What’s worse, this password is freely available in the Nexx Application API (and has been published online). Anyone can use this password to gain remote control of a Nexx smart product. So if your garage door is controlled via Nexx, don’t be surprised if it starts opening and closing randomly.
If a hacker takes full advantage of the Nexx MQTT vulnerability, they can recover the personal information of all Nexx account holders. This personal data includes device IDs, names and email addresses. Therefore, it is very easy for hackers to target specific people.
“Nexx has not responded to any correspondence from me, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified that Nexx has purposefully ignored all of our attempts to assist with remediation and has allowed these critical flaws to continue to affect their customers.” —Sam Sabetan
Nexx should have recognized this vulnerability on its own. But more importantly, you should have responded to the emails from Sabetan, Homeland Security, and VICE. The company intentionally avoided matching, and for this reason, all remaining Nexx customers should consider switching to a new brand. (For what it’s worth, Nexx’s social media presence has been virtually non-existent since 2020, and Sabetan found that the company only has around 20,000 active users. Nexx doesn’t appear to be in good health.)
Even if these issues are resolved, Review Geeks I cannot recommend a smart home company that intentionally neglects the privacy, security, and protection of its customers. We’ve gone through all of the previous Nexx coverage (of which there’s very little) to tackle today’s story.
Nexx has not posted a response to this story. We’ve reached out to the company for comment. You can read Sam Sabetan’s full security briefing on Medium.
Source: Sam Sabetan
[ad_2]
