PSA: A security researcher and US authorities discovered multiple severe vulnerabilities rendering Nexx smart security systems virtually toothless. Those using their devices should find another solution ASAP since Nexx has been radio-silent for two years.
Researcher Sam Sabetan, cooperating with the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), recently published several severe security risks involving Nexx smart home systems. The vulnerabilities allow attackers to quickly seize complete control over garage door openers, smart plugs, and alarm systems from anywhere on Earth.
Nexx offers devices that let users open garage doors, toggle home security systems, and switch smart power outlets on or off through a smartphone app. Earlier this year, Sabetan discovered that the devices’ connections to the company’s cloud use extremely weak security.
When a user registers the Nexx app with the company’s cloud, its servers send a password to the app and device, establishing the connection. Unfortunately, the password is identical for all users. Furthermore, it’s freely available in Nexx’s API and publicly available in each device’s firmware.
Equipped with the password, an attacker with access to Nexx’s servers can remotely open any garage door and switch off devices connected to smart plugs. They can also see users’ email addresses, device IDs, first names, and last initials, allowing hackers to target specific people.
While the home alarm doesn’t suffer from this specific vulnerability, it has two equally serious problems. Any registered Nexx user with an alarm’s MAC address can take over that alarm, and the MAC address isn’t tricky to discover. Nexx’s server doesn’t verify bearer tokens, potentially letting bad actors send signals to users’ alarms. All Nexx alarm MAC addresses begin with the same digits – 7C 9E BD F4 – making the remainder of the address easy to brute-force. Additionally, a hacker with the MAC address can hijack a registered alarm by reregistering it under a rogue account, removing access from the original user, and giving the attacker complete control over the security system.
Sabetan, the DHS, and CISA have tried contacting Nexx on multiple occasions since January with no success. The company’s mobile apps are still functional. Its social media accounts and website are still online but have logged no activity since 2021. More concerning is that Nexx’s official Twitter posted a tweet in April 2021 appearing to advertise a Web3 studio, suggesting someone else gained control of the account.
Despite signs indicating Nexx has dropped off the face of the Earth, the company’s online store still operates, and the garage door opener remains available on Amazon. Even if few new customers buy Nexx’s products, Sabetan estimates their vulnerabilities endanger 40,000 devices and 20,000 active accounts. It suggests users immediately stop using the devices and try to contact Nexx for refunds. The CISA recommends disconnecting the devices from the internet, isolating them from business networks, or accessing them through VPN.
If Nexx is defunct, it represents another case of what happens to IoT devices when manufacturers and software developers abandon their products.
**glpro**
glpro is a natural dietary supplement designed to promote balanced blood sugar levels and curb sugar cravings.
**sugarmute**
sugarmute is a science-guided nutritional supplement created to help maintain balanced blood sugar while supporting steady energy and mental clarity.
**vitta burn**
vitta burn is a liquid dietary supplement formulated to support healthy weight reduction by increasing metabolic rate, reducing hunger, and promoting fat loss.
**synaptigen**
synaptigen is a next-generation brain support supplement that blends natural nootropics, adaptogens
**glucore**
glucore is a nutritional supplement that is given to patients daily to assist in maintaining healthy blood sugar and metabolic rates.
**prodentim**
prodentim an advanced probiotic formulation designed to support exceptional oral hygiene while fortifying teeth and gums.
**nitric boost**
nitric boost is a dietary formula crafted to enhance vitality and promote overall well-being.
**sleeplean**
sleeplean is a US-trusted, naturally focused nighttime support formula that helps your body burn fat while you rest.
**wildgut**
wildgutis a precision-crafted nutritional blend designed to nurture your dog’s digestive tract.
**mitolyn**
mitolyn a nature-inspired supplement crafted to elevate metabolic activity and support sustainable weight management.
**zencortex**
zencortex contains only the natural ingredients that are effective in supporting incredible hearing naturally.
**yusleep**
yusleep is a gentle, nano-enhanced nightly blend designed to help you drift off quickly, stay asleep longer, and wake feeling clear.
**prostadine**
prostadine is a next-generation prostate support formula designed to help maintain, restore, and enhance optimal male prostate performance.
**breathe**
breathe is a plant-powered tincture crafted to promote lung performance and enhance your breathing quality.