Newly published security research suggests that a certain brand of smart home devices have software vulnerabilities that could allow a savvy hacker to hijack them completely.
The company in question, Nexx, sells a variety of IoT products, including internet-connected garage doors, alarms, and wall plugs. All of these products are designed to be paired with Nexx’s app, which allows users to remotely monitor their homes, activate or deactivate certain features, and generally control their home environment from afar. That might sound all well and good but, unfortunately, recently discovered software flaws in Nexx’s suite of devices seem to spell big trouble for anyone using them.
Sam Sabetan, the security researcher who stumbled upon Nexx’s little problem, says that the bugs could allow a bad actor to utterly hijack each and every one of the company’s products. Sounds pretty dramatic, right? According to Sabetan’s recently published research, proper exploitation of the vulnerabilities could allow a person to access the personal information of all Nexx account holders — including email addresses, first names, last initials and device IDs. Even more shockingly, the access provided could allow a savvy cyber stooge to manipulate any Nexx-connected devices. That means the ability to open and close garage doors at will, turn alarms on and off, and deactivate wall plugs.
Worst of all, Sabetan claims to have contacted Nexx multiple times about the bugs but says that the company doesn’t want to acknowledge the problem.
Nexx’s Password Problem
All of Nexx’s problems appear to boil down to one problematic password that Sabetan came across while investigating Nexx’s data protections. Sabetan says he initially used Burp Suite, a security testing tool, to intercept traffic flowing to and from his own Nexx device. Sifting through that traffic, Sabetan came upon something that seemed…not great: an unprotected password that was freely available in the app’s API. As it would turn out, it was a pretty important one.
To understand the significance of this password, you have to take a look at how IoT devices typically communicate with their users. In this case, Nexx’s smart devices are powered by a network protocol called MQTT, short for Message Queuing Telemetry Transport. MQTT, which is frequently used in IoT products, can transmit messages to and from a user, their device, and the relevant company’s cloud infrastructure. In Nexx’s case, the protocol was responsible for helping send commands between all three (that is, the user, the device, and the cloud) — including commands, like telling a garage door to open or an alarm to sound.
Here’s the important part: a server, typically known as an MQTT “broker,” is responsible for helping to route the data between parties. Crucially, a password is necessary to protect the MQTT server that helps route the data. Ideally — there should be a different password for each device that connects to the server, says Sabetan. Unfortunately, in Nexx’s case, it doesn’t appear to have done that, simply using one password for every single device that connected to its cloud environment — the same password that was floating around in the Nexx API and that had been initially sent to Sabetan.
Sabetan says the reason that the pivotal password is shared with the user in the first place is to help establish a secure connection between the Nexx device and the Nexx cloud when the device is being set up for the first time. The password is initially sent from the company’s cloud environment to the user’s phone and then on to the related Nexx smart device via WiFi or Bluetooth, which allows the connection to be established and allows the user to use the Nexx app to engage with the device.
In other words, according to Sabetan, what Nexx has done is equivalent to an apartment manager handing out the same key to every tenant in their building; that key gets you into the building, but it also gets you into all your neighbours’ units — and your neighbours can get into your unit. Such a key would be pretty easy to steal, too, I’d imagine.
“In MQTT-based IoT devices, it is crucial to employ unique passwords for each device to ensure a secure communication environment. However, in the case of Nexx, a universal password was used for all devices, compromising the overall security of their system,” Sabetan writes in his blog.
Pivotally, access to the MQTT server not only allowed Sabetan to view device traffic linked to other Nexx account users, but also would have allowed him to send signals to their devices if he wanted to (he didn’t do this, opting instead to test the exploit on several Nexx devices that he had purchased himself). In other words, it gave him the power to do things like open and close garage doors, turn alarms on and off, and deactivate wall plugs. To demonstrate how this works, Sabetan made a video of him remotely manipulating his own garage door, which breaks down exactly how to do it:
Nexx Fails to Respond
In his write-up, Sabetan further breaks down the implications of the company’s decision to use a “universal password” for all of their IoT products — calling it a clear compromise of users’ “safety”:
Using a universal password for all devices presents a significant vulnerability, as unauthorised users can access the entire ecosystem by obtaining the shared password. In doing so, they could compromise not only the privacy but also the safety of Nexx’s customers by controlling their garage doors without their consent. In addition to being widely available in Nexx’s API, the hardcoded password is also publicly available in the firmware shipped with the device.
Sabetan says he reached out to Nexx multiple times in an attempt to report the grievous security issues — even sending an email to the company’s CEO — but received no reply. Sabetan also contacted the Cybersecurity and Infrastructure Security Agency (or, CISA), a sub-agency of the Department of Homeland Security that focuses on vulnerability disclosures, to assist with contacting the company — to no avail. In short: it doesn’t look like the company is interested in publicly acknowledging the problem.
“Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media,” Sabatan writes, in his blog post on the security flaws. “Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue.” Gizmodo also reached out to Nexx for comment and will update our story if the company responds.