Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.
There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix.
The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx's API.
The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.
A video showing the impact of the security flaw, tracked as CVE-2023–1748, is available below. It could be used to open any Nexx-controlled garage door.
On January 4, independent security researcher Sam Sabetan published a
writeup about the flaws, explaining how an attacker could leverage them in real life.
It is estimated that there are at least 40,000 Nexx devices associated with 20,000 accounts. Due to the severity of the security problem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also
published a relevant alert.
CISA warns owners of Nexx products that attackers could access sensitive information, execute API requests, or hijack their devices.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
