In April 2023, the CISA (Cybersecurity and Infrastructure Security Agency), had listed the Nexx’s smart device product line, including their smart garage door openers controller, as vulnerable to hackers, who can gain unauthorized access to sensitive information.
Nexx Smart Wi-Fi Garage Door Controller models NXG-100B, and NXG-200, utilize hard-coded credentials. The credentials can be found in the device’s firmware (embedded software that controls the device) and can also be retrieved with a simple request within the application. If an attacker gains access to the Nexx smart garage door mobile application or the firmware, they can view the credentials and access the MQ Telemetry Server (MQ Telemetry Server is a software that enables devices to communicate with each other through a messaging system, commonly used in the Internet of Things [IoT] applications).
Additionally, these vulnerabilities allow attackers to obtain sensitive information, such as names, emails and passwords, which enables them to execute application programmable interface (API) requests, or take over devices. In other words, attackers are able to remotely control garage doors or smart plugs that are powered by Nexx.
Despite CISA’s requests for Nexx to work with them to address these vulnerabilities, no response has been received.
What users should do?
To secure your garage door and minimize the risk of attackers taking over your garage door opener, the CISA recommends to take the following defensive measures: reducing network exposure for the Nexx Smart Wi-Fi Garage Door Controller models NXG-100B, and NXG-200, and ensuring that they are not accessible from or connected to the internet. The smart door control network and remote devices should be placed behind firewalls and be isolated from networks. When remote access is necessary, secure methods like Virtual Private Networks (VPNs) should be utilized. It’s also crucial to recognize that VPNs may have vulnerabilities as well, so they should be kept up to date with the latest version available. Additionally, a VPN is only as secure as the devices connected to it.
For the average homeowner or garage door user, who aren’t tech savvy, a simpler solution would be to disable the Nexx smart device altogether and contact Nexx support for additional information about the matter. If you don’t know how to disable your Nexx garage door controller, consult a licensed garage door repair company.