Andrew Heinzman
Nexx ignored critical vulnerabilities in its smart home products.
Just a few years ago, Nexx was among the most popular smart garage controller brands. But things have changed. Nexx doesn’t receive a ton of attention these days. And due to newly-discovered vulnerabilities, remaining customers should unplug their Nexx devices and consider a different brand.
Security researcher Sam Sabetan uncovered “a series of critical vulnerabilities” that affects all Nexx smart home products (garage door openers, smart plugs—everything). These vulnerabilities, which are already assigned CVEs, are the result of a major security oversight in Nexx’s MQTT implementation; every Nexx device uses the same password to connect with Nexx’s cloud servers.
What’s worse, this password is freely available in the Nexx app API (and it’s been published online). Anyone can use this password to gain remote control over a Nexx smart product. So, if your garage door is controlled through Nexx, don’t be surprised if it starts to randomly open and close.
If a hacker takes Nexx’s MQTT vulnerability to the fullest extent, they can retrieve the personal information of all Nexx account holders. This personal data include device IDs, first names, and email addresses. So, it’s very easy for hackers to target specific individuals.
“Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.” – Sam Sabetan
Nexx should have recognized this vulnerability on its own. But more importantly, it should have responded to emails from Sabetan, Homeland Security, and VICE. The company intentionally avoided correspondence, and for this reason, all remaining Nexx customers should consider switching to a new brand. (For what it’s worth, Nexx’s social media presence has been practically non-existent since 2020, and Sabetan found that the company only has about 20,000 active users. Nexx doesn’t appear to be in great health.)
Even if these problems are resolved, Review Geek cannot recommend a smart home company that intentionally neglects the privacy, security, and safety of its customers. We have revised all previous coverage of Nexx (of which there is very little) to address today’s story.
Nexx has not published a response to this story. We’ve reached out to the company for a comment. You can read Sam Sabetan’s full security report on Medium.
Source: Sam Sabetan