Garage door controllers, smart plugs, and smart alarms sold by Nexx contain cybersecurity vulnerabilities that could enable cyberattackers to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
And although independent cybersecurity researcher Sam Sabetan reported that he discovered several vulnerabilities in late 2022 and alerted Nexx to the issues, the company has yet to respond.
Nexx has not replied to Dark Reading's request for comment, either.
CISA's April 4 warning applies to three specific Nexx Internet of Things (IoT) products: Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior; Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior; and Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior.
The Nexx products have five identified vulnerabilities, according to CISA, the highest of which has a critical CVSS vulnerability severity score of 9.3.
- CVE-2023-1748: Use of Hard-Coded Credentials CWE-798 (CVSS 9.3)
- CVE-2023-1749: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 6.5)
- CVE 2023-1750: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 7.1)
- CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)
- CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)
Until Nexx issues a fix, Sabetan and CISA recommend that users unplug affected devices.
"If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps," Sabetan said in his disclosure. "It is crucial for consumers to be aware of the potential risks associated with IoT devices and to demand higher security standards from manufacturers."