Security Researcher Sam Sabetan Sounds the Alarm on Highly-Vulnerable Nexx Smart Home Systems

Security researcher Sam Sabetan has warned of serious security vulnerabilities in smart garage door control and security systems from Nexx which, if left unpatched, can allow attackers to open doors remotely — and claims that the company has not only failed to address the issue but won't even communicate on the subject.

"In late 2022, while conducting independent security research, I discovered a series of critical vulnerabilities in Nexx's smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs," Sabetan explains. "These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer. I collaborated closely with the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to responsibly disclose the research results."

"Responsible disclosure" is typically a multi-stage process in which the company behind a given product or service is notified of a vulnerability then given a period of time to resolve the issue. Any public reporting of the vulnerability waits until the vendor has had a chance to confirm the issue, develop a patch, and deploy it — providing that happens within a reasonable timescale.

Sabetan has gone public with the vulnerabilities without a patch being available, however — and says it's because Nexx has refused to communicate with him, the Department of Homeland Security, or media outlets on the topic, providing nothing but silence — and leaving its customers wide open to attack.

How serious are the flaws? Sabetan claims that the vulnerabilities allow anyone, anywhere in the world, to remotely open Nexx-controlled garage doors — searching for targets using email addresses, first name and last initial, or the hardware device ID. Among the issues found in the company's products were the use of hard-coded credentials in its smartphone app, authorization bypass vulnerabilities, improper input validation, and improper authentication validation — all of which have been confirmed by the US Cybersecurity and Infrastructure Security Agency (CISA) as part of its own alert on the matter.

"Device owners should immediately unplug all Nexx devices," Sabetan advises, "and create support tickets with the company requesting them to remediate the issue." CISA, meanwhile, goes a step further and advises that all control system devices are not accessible from the internet, are isolated from business networks, and accessed remotely only via Virtual Private Network (VPN) or similar secure channels.

Nexx has been contacted for comment on the report, but had not responded by the time of publication. The company's website shows no new posts since 2019, while its communications page currently claims that "Nexx Garage, Nexx Gate, and Nexx Plug devices are showing OFFLINE status due to the server being down" — with no reason given for the outage. The majority of its products, meanwhile, have been removed from its website — leaving only mounting brackets, sensors, and other accessories listed for sale.

More information is available on Sabetan's write-up and the CISA security alert.