Garage Door Openers Open to Hijacking, Thanks to Unpatched Security Vulns

CISA is advising Nexx customers to unplug impacted devices until the security issues are addressed — but so far, it's crickets as to patch timeline.

Dark Reading Staff, Dark Reading

April 5, 2023

1 Min Read
Suburban house with garage door
Source: Panther Media GmbH via Alamy

Garage door controllers, smart plugs, and smart alarms sold by Nexx contain cybersecurity vulnerabilities that could enable cyberattackers to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

And although independent cybersecurity researcher Sam Sabetan reported that he discovered several vulnerabilities in late 2022 and alerted Nexx to the issues, the company has yet to respond.

Nexx has not replied to Dark Reading's request for comment, either.

CISA's April 4 warning applies to three specific Nexx Internet of Things (IoT) products: Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior; Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior; and Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior.

The Nexx products have five identified vulnerabilities, according to CISA, the highest of which has a critical CVSS vulnerability severity score of 9.3.

  1. CVE-2023-1748: Use of Hard-Coded Credentials CWE-798 (CVSS 9.3)

  2. CVE-2023-1749: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 6.5)

  3. CVE 2023-1750: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 7.1)

  4. CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)

  5. CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)

Until Nexx issues a fix, Sabetan and CISA recommend that users unplug affected devices. 

"If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps," Sabetan said in his disclosure. "It is crucial for consumers to be aware of the potential risks associated with IoT devices and to demand higher security standards from manufacturers."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights