Cybersecurity researcher Sam Sabetan yesterday went public with insecurity revelations against IoT vendor Nexx, which sells a range of “smart” devices including door openers, home alarms and remotely switchable power plugs.
According to Sabetan, he reported the bugs to Nexx back in January 2023, but to no avail.
So he decided to sound the alarm openly, now it’s April 2023.
The warning was considered serious enough by the powers-that-be that even the resoundingly if repetitiously named US Cybersecurity and Infrastructure Security Agency, or CISA, published a formal advisory about the flaws.
Sabetan deliberately didn’t publish precise details of the bugs, or provide any proof-of-concept code that would allow just anyone to start hacking away on Nexx devices without already knowing what they were doing.
But from a brief, privacy-redacted video provided by Sabetan to prove his point, and the CVE-numbered bug details listed by CISA, it’s easy enough to figure out how the flaws probably came to get programmed into Nexx’s devices.
More precisely, perhaps, it’s easy to see what didn’t get programmed into Nexx’s system, thus leaving the door wide open for attackers.
No password required
Five CVE numbers have been assigned to the bugs (CVE-2023-1748 to CVE-2023-1752 inclusive), which cover a number of cybersecurity omissions, apparently including the following three interconnected security blunders:
- Hard-coded credentials. An access code that can be retrieved from the Nexx firmware allows an attacker to snoop on Nexx’s own cloud servers and to recover command-and-control messages between users and their devices. This includes the so-called device identifier – a unique string assigned to each device. The message data apparently also includes the user’s email address and the name and initial used to register the device, so there is a small but significant privacy issue here as well.
- Zero-factor authentication. Although device IDs aren’t meant to be advertised publicly in the same way as, say, email addresses or Twitter handles, they’re not meant to serve as authentication tokens or passwords. But attackers who know your device ID can use it to control that device, without providing any sort of password or additional cryptographic evidence that they’re authorised to access it.
- No protection against replay attacks. Once you know what a command-and-control message looks like for your own (or someone else’s) device, you can use the same data to repeat the request. If you can open my garage door, turn off my alarm, or cycle the power on my “smart” plugs today, then it seems you already have all the network data you need to do the same thing again again and again, a bit like those old and insecure infrared car fobs that you could record-and-replay at will.
Look, listen and learn
Sabetan used the hardwired access credentials from Nexx’s firmware to monitor the network traffic in Nexx’s cloud system while operating his own garage door:
Today I'm unveiling my research on @GetNexx 's smart ecosystem: I could open any customer's garage doors. Despite warnings, they ignored the issue. 1/4 https://t.co/9V5uuT3LLE
— Sam Sabetan (@samsabetan) April 4, 2023
That’s reasonable enough, even though the access credentials buried in the firmware weren’t officially published, given that his intention seems to have been to determine how well-secured (and how privacy-conscious) the data exchanges were between the app on his phone and Nexx, and between Nexx and his garage door.
That’s how he soon discovered that:
- The cloud “broker” service included data in its traffic that wasn’t necessary to the business of opening and closing the door, such as email addresses, surnames and initials.
- The request traffic could be directly replayed into the cloud service, and would repeat the same action as it did before, such as opening or closing the door.
- The network data revealed the traffic of other users who were interacting with their devices at the same time, suggesting that all devices always used the same access key for all their traffic, and thus that anyone could snoop on everyone.
Note that an attacker wouldn’t need to know where you live to abuse these insecurities, though if they could tie your email address to your physical address, they could arrange to be present at the moment they opened your garage door, or they could wait to turn your alarm off until they were right in your driveway, and thus use the opportunity to burgle your property.
Attackers could open your garage door without knowing or caring where you lived, and thus expose you to opportunistic thieves in your area… just “for the lulz”, as it were.
What to do?
- If you have a Nexx “smart” product, contact the company directly for advice on what it plans to do next, and by when.
- Operate your devices directly, not via the Nexx cloud-based app, until patches are available, assuming that’s possible for the devices you own. That way you will avoid exchanging sniffable command-and-control data with the Nexx cloud servers.
- If you’re a programmer, don’t take security shortcuts like this. Hardcoded passwords or access codes were unacceptable way back in 1993, and they’re way more unacceptable now it’s 2023. Learn how to use public key cryptography to authenticate each device uniquely, and learn how to use ephemeral (throw-away) session keys so that the data in each command-and-control interaction stands on its own in cryptographic terms.
- If you’re a vendor, don’t ignore bona fide attempts by researchers to tell you about problems. As far as we can see in this case, Sabetan lawfully probed the company’s code and determined its security readiness because he was a customer. On finding the flaws, he attempted to alert the vendor to help himself, to help the vendor, and to help everyone else.
No one likes to be confronted with accusations that their programming code wasn’t up to cybersecurity scratch, or that their back-end server code contained dangerous bugs…
…but when the evidence comes from someone who is telling you for your own good, and who is willing to give you some clear time to fix the problems before going public, why turn down the opportunity?
After all, the crooks spend the same sort of effort on finding bugs like this, and then tell no one except themselves or other crooks.
By ignoring legitimate researchers and customers who willingly try to warn you about problems, you’re just playing into the hands of cybercriminals who find bugs and don’t breathe a word about them.
As the old joke puts it, “The ‘S’ in IoT stands for security”, and that’s a regrettable and entirely avoidable situation that we urgently need to change.
Anonymous
They’re way more unacceptable in 2013? This is a 10 year old document?
Paul Ducklin
Hahaha. Technically there is nothing wrong with that as written: what made for rubbish security in 1993 was double-rubbish by 2013… but I did indeed mean 2023, where they are yet more unaccetpable still.
Ralph
I suddenly started questionning whether I had dreamed up my existence between 2013 and 2023 when I read the sentence
“Hardcoded passwords or access codes were unacceptable back in 1993, and they’re way more unacceptable in 2013.”
Paul Ducklin
It was a typo, though it was true before I fixed it (just Even More True in 2023!)
Pete
Wow, sounds as if the company found a time travel trick and jumped directly from pre-1993 to today.
Thanks for the 0-factor authentication 🤘🏻
Wilderness
I’d rather have my devices dumb and secure instead of ‘smart’ and insecure.
Paul Ducklin
Well, there’s smart meaning “clever or quick-witted”, and there’s smart meaning “feel a stinging pain”.
Wilderness
I’m referring to the third definition of smart: “woefully insecure”
Wilderness
Like so much else en vogue these days, it’s an inversion of reality.
Mitchell Buchanan
Just turn off the breaker to the garage door not the end of the world
John Knops
There are a lot of people who dont know what a breaker is or where it is and for those there will be new modern breakers connected via wifi or blutooth to your hand held device via “the cloud”. Anyone remember those IR switches that opened your garage door when you turned into your driveway or your dog walked across the magic beam? If you don’t remember them watch Jacques Tati’s 1958 “Mon Oncle” from a movie streaming service that broadcasts award winning films. Security is only as good as you make it without relying on other services.
Mahhn
Unplugged my garage door opener last year when electricity more than doubled one day (thanks JB) as well as the house AC and other things. Zero IOT devices on in my home, funny for a tech to say…
I’m starting to think life is better without electricity. Less stress that’s for sure.
Paul Ducklin
Compared to anything involving refrigeration or heating (when done electrically this generally needs a current-hungry resistor that simply heats up, or a powerful compressor), the energy consumed by opening and closing your garage door is almost certainly a statistical insignificance.
Unless the need to open the door manually acts as an incentive to drive less.
John Hawk
Not the end of the world, no. Oh what’s that, my garage doors opened in the night and burglars entered my house?
BartK
If you’re a bad-guy, you don’t really need to fuss about with software, remotes and dip-switches and all the techy guff
Un-wind a wire coat-hanger, and thread the hook-end of the hanger thru the top-middle or top-side of the roller door.
What you’re ‘feeling’ for is the emergency release – this will unlatch the door from the motor mechanism, and allow you to simply lift the door, to reveal the treasures within – which is why I always recommend a double-key dead-bolt from garage into the house.
PS: and lock your car whilst in the garage…
Paul Ducklin
Though this hack, unlike the coat hanger door release, can be done remotely…
Paul Dodd
Pretty stupid of the company to apparently just ignore the reports. Could cost them millions in damages and fines.