Recently, a security researcher discovered that Nexx "smart" garage door openers are vulnerable to abuse at the API layer. Here's a summary of what was found, along with a few key citations.
- Five total flaws have been disclosed around these devices.
- The flaws range from a shared admin username and password, which is hard-coded, discoverable, and cannot be changed.
- API requests can be received from any device ID, not only actual smart devices from the manufacturer.
- These credentials allow for execution of API calls, including retrieving account history.
CISA warns owners of Nexx products that attackers could access sensitive information, execute API requests, or hijack their devices.
Unfortunately, the manufacturer has not responded to multiple disclosure attempts, or proposed collaboration from security organizations to help with remediation. The best recommendations at this point are to either disable the devices, remove their Internet connectivity (rendering them less "smart" by definition), or only connecting via VPN.