The convenience of using smart devices seems to be matched only by their ability to expose users and their data to hackers. The latest example of that is the Nexx garage door opener, which a cybersecurity researcher now claims is vulnerable to being hijacked.
Independent researcher Sam Sabetan was the first to publish a write-up about the security flaws, and how they could be exploited by hackers, reports Motherboard. He described five vulnerabilities that could give people with nefarious intents access to your garage and your data.
The security issues were given severity scores ranging from medium to critical. The most significant is that the use of universal credentials hard-coded in the firmware are easily obtained from a user’s communications with Nexx’s application programming interface. This could allow a hacker to collect email addresses, device IDs, and first names from the system.
Read: Researchers Hack Ferraris, Rolls-Royces, And Other Luxury Vehicles
In a video, Sabetan demonstrates the flaw. Using the official Nexx app, he opens his own garage door and then logs into a tool to see recent messages sent by the device. By capturing that data, he received information about his own system, as well as messages from 558 others that do not belong to him.
Sabetan claims that, by exploiting these security flaws, he could theoretically open any Nexx user’s garage door. Naturally, that would expose many users’ belongings, and potentially their homes, to thieves. But the vulnerabilities extend even beyond that.
“That’s the craziest bug,” Sabetan told Motherboard, referring to the garage door. “But the disabling alarm and turning on [and] off smart plugs is pretty neat too.”
Since publishing his research, the security flaw has also been noted by the federal Cybersecurity & Infrastructure Security Agency. Both Sabetan and CISA say they reached out to Nexx to warn them about the issue, but neither has received any response.
As a result, customers are encouraged to take their own mitigation strategies. These include disconnecting their Nexx devices from the WiFi network, isolating control systems from business networks, and using a VPN when the device must be used.