The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets
Introduction
In late 2022, while conducting independent security research, I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs. These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer.
I collaborated closely with The United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) to responsibly disclose the research results. CISA assigned the following five CVEs:
- Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 9.3)
- Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5)
- Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1)
- Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5)
- Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1)
More details can be found on CISA’s disclosure ICSA-23–094–01.
Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.
Disclosure Timeline
04 Jan 2023 — Initial contact on Nexx’s Support Website (ticket closed)
06 Jan 2023 — Follow-up on initial contact (ticket closed)
09 Jan 2023 — Reached out directly to Nexx’s founder via personal Gmail identified in FCC filings
17 Jan 2023 — Follow-up on Nexx’s Support Website
20 Jan 2023 — Opened case with CISA to coordinate efforts in reaching out to Nexx
21 Feb 2023 — Follow-up on Nexx’s Support Website, reminding them of disclosure dates
22 Feb 2023 — CISA informed me they were unable to establish contact and began escalation with their federal team
16 Mar 2023 — CISA’s federal team was unable to establish contact with Nexx; CISA recommended public advisory
22–24 Mar 2023 — VICE attempted to contact Nexx via support and social media and received no response
30 Mar 2023 — CISA confirms public advisory
04 Apr 2023 — Public release
FAQ
What is the issue at a high level?
Anyone can open garage doors belonging to others from anywhere in the world. Smart Garage Controllers can be searched for and opened based on an email address, deviceId, or first name and last initial.
Which devices are affected, and how many are impacted?
The vulnerabilities discussed in this post primarily involve the Smart Garage Door Controller and Smart Plugs, but the Smart Alarm is also susceptible to a similar class of vulnerabilities. As a result, all Nexx devices are affected by the vulnerabilities described here. It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts.
How is this issue being addressed?
Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media. Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue.
CVE-2023-1748 — Leaked Secrets and MQTT Exploitation
The Nexx Home mobile app, compatible with both Android and iOS, helps users set up their new devices. Connecting a new device to your Nexx account involves a five-step process:
- The user uses the Nexx Home mobile app to register their new Nexx device with the Nexx Cloud.
- Behind the scenes, the Nexx Cloud returns a password for the device to use for secure communications with the Nexx Cloud.
- The password is transmitted to the user’s phone and sent to the Nexx device using Bluetooth or WiFi.
- The Nexx device establishes an independent connection with the Nexx Cloud using the provided password.
- The user can now operate their garage door remotely using the Nexx Mobile App.
This process is illustrated below:
The request to the cloud to retrieve credentials is simply an API call within the mobile application, which returns the password for the MQTT user sptmqttadmin, shown in Figure 2.
MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol designed for resource-constrained devices and low-bandwidth, high-latency, or unstable networks. In the context of IoT garage door openers, MQTT can be employed to facilitate efficient and reliable communication between the device, user, and any relevant cloud services. By leveraging its publish-subscribe model, the garage door opener can send messages such as status updates, alerts, or notifications to a central broker, which then distributes the information to subscribed clients, including mobile apps or other connected devices.
In MQTT-based IoT devices, it is crucial to employ unique passwords for each device to ensure a secure communication environment. However, in the case of Nexx, a universal password was used for all devices, compromising the overall security of their system.
Using a universal password for all devices presents a significant vulnerability, as unauthorized users can access the entire ecosystem by obtaining the shared password. In doing so, they could compromise not only the privacy but also the safety of Nexx’s customers by controlling their garage doors without their consent. In addition to being widely available in Nexx’s API, the hardcoded password is also publicly available in the firmware shipped with the device.
To verify this, I used the found credentials to access Nexx’s MQTT server. Upon gaining access, I discovered that all MQTT messages were being broadcasted universally, including those intended for other customers and devices, as shown in Figure 3.
User emails, device IDs, and first names with last initials are being broadcasted in the “garageDoorOpener” message. This meant that it was possible to identify customers based on unique information shared in these messages. The real danger, however, lies in the fact that by replaying a “garageDoorOpener” message, an unauthorized user could send a command to a customer’s garage door — either opening or closing it.
Moreover, this security vulnerability extends beyond the garage door openers to Nexx’s Smart Plug ecosystem. By replaying messages on the same MQTT server, unauthorized users could turn on and off Smart Plugs connected to various household appliances, such as Christmas trees or even security cameras.
A proof of concept video for CVE-2023–1748 is available below.
CVE-2023-1749 — The IDOR Open-Door Experiment
Upon discovering a method for unauthorized access to Nexx devices, I investigated other potential vulnerabilities. While examining the mobile application, I noticed the timer and scheduling features that allow customers to set their garage doors and smart plugs to operate at specific times each day or after a predetermined time threshold.
Though convenient for users, the timer and scheduling functionality in the Nexx mobile application is susceptible to Insecure Direct Object Reference (“IDOR”) attacks. IDOR vulnerabilities arise when an application exposes a reference to an internal object, such as a file or database key, without adequate authorization checks. Regarding Nexx’s timer and scheduling features, the deviceId is sent to the API without verifying whether the device is associated with your account. A deviceId is a unique identifier generated for the device when it is registered with Nexx’s Cloud. It is different from the device’s serial number.
By altering the deviceId parameter when setting up a schedule or timer for a garage door, it is possible to manipulate another device’s schedule or timer functionality. A sample with a modified deviceId is shown in the request in Figure 4.
When the schedule or timer is executed, the target deviceId will be activated, which applies to Garage Doors, Plugs, and Alarms.
CVE-2023-1751 — Smart Alarm Impersonation
Nexx offers Smart Alarm Controllers in addition to Smart Garage Controllers and Plugs. These controllers connect to home alarm systems like ADT-branded systems, allowing users to enable and disable them remotely. Instead of using MQTT for its backend, Nexx utilizes a custom WebSocket server to manage messages between the cloud and the devices.
However, the WebSocket server’s configuration fails to verify if the bearer token in the Authorization header corresponds to the alarm trying to connect to Nexx’s Cloud. Consequently, any authorized user can access information and signals intended for other alarms. These signals include the Smart Alarms deviceId, which can be combined with the IDORs outlined in CVE-2023–1749. Although unconfirmed, it appears that all Smart Alarms use the MAC address prefix 7C 9E BD F4 XX XX, registered to Espressif Inc for ESP32 development devices. This MAC address also serves as the Smart Alarm serial number.
When the Smart Alarm goes online, the MAC address is sent to the WebSocket server and used for message exchange with the cloud (e.g., arming or disarming the alarm). By connecting to the WebSocket server and providing an arbitrary MAC address for any Smart Alarm, an attacker can intercept and send information meant for another alarm. Figure 5 shows a sample WebSocket association message that can be easily altered in transit for other devices’ MAC addresses.
As a result, any Nexx user with a valid authorization token can establish a WebSocket connection within the affected scope as any device, obtain a deviceId, and control any alarm.
CVE-2023-1752 — Smart Alarm Hijacking
CVE-2023–1752 enables users to register a previously registered alarm or associated adevice using only the device’s MAC address. By simply having the alarm’s MAC address, an attacker can register an already registered device and effectively take control of it. As a result, the device is removed from the original owner’s account, allowing the attacker to gain full access and arm or disarm the alarm.
To carry out the attack, an attacker only needs a valid Nexx account and the device’s MAC address (which can be brute-forced). The Nexx Cloud fails to adequately verify if a device is already connected to another account, meaning that an attacker with the known MAC address can hijack an alarm.
This vulnerability was confirmed by sending a request to an API endpoint containing a MAC address already linked to another account, as demonstrated in Figure 6.
The server returned a valid status response, causing the device to be unlinked from the primary account and transferred to the attacker’s account. An attacker can then arm or disarm the alarm for a brief period.
Key Takeaways and Remediation
The vulnerabilities discovered in Nexx devices pose a serious threat to user safety, security and privacy. These issues highlight the importance of robust security measures in IoT devices, particularly when they control access to users’ homes and personal belongings. The identified vulnerabilities could potentially allow unauthorized access to sensitive information, as well as manipulation and control of devices.
Despite multiple attempts to contact Nexx regarding the identified vulnerabilities, there has been no response, jeopardizing their customers’ safety. Efforts to reach Nexx include support tickets from various accounts, a public phone number found through OSINT, personal email addresses from FCC filings, social media posts on Twitter and Facebook, as well as government and media involvement.
While I aimed to adhere to a responsible disclosure process, Nexx chose not to cooperate with me, the media, or the government, leaving these critical vulnerabilities unaddressed. If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps.
It is crucial for consumers to be aware of the potential risks associated with IoT devices and to demand higher security standards from manufacturers. Companies like Nexx should prioritize security measures and be more responsive to vulnerability disclosures. By addressing these issues proactively, both researchers and manufacturers can work together to create a safer and more secure IoT ecosystem.
For more information or questions, feel free to reach out (@samsabetan & samsabetan@infosec.exchange)
