The Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS advisory about several Nexx Smart Home Device vulnerabilities.
According to the report, hackers can exploit Nexx vulnerabilities to gain unauthorized access, gain credentials of smart devices, and remotely control impacted devices.
Nexx offers protective home automation services, including garage door controllers, smart plugs, and smart alarms.
Nexx smart home device vulnerability
The Nexx smart home device vulnerabilities impact the Nexx garage door controller, NXG-100B, and NXG-200 of versions nxg200v-p3-4-1 and prior. Hackers can also access Nexx Smart Plug, NXPG-100W of versions nxpg100cv4-0-0 and prior.
Nexx smart home device vulnerability was also found in Nexx smart alarm, NXAL-100 of versions nxal100v-p1-9-1and prior. Users opting for smart home control solutions may instead face hacking if the forthcoming patches are not installed.
Nexx smart home device vulnerabilities explained
ICS advisory highlighted the following Nexx smart home device vulnerabilities –
- CVE-2023-1748, with a CVSS v3 base score of 9.3, can allow cybercriminals to access the Nexx home mobile application and the MQ Telemetry Server. They can remotely control the functions of the garage door and smart plugs in the targeted homes.
- CVE-2023-1749, with a CVSS v3 base score of 6.5, can allow hackers to gain access control on unpatched devices. They can make Application Programming Interface (API) requests to perform malicious tasks using the device ID. This is an authorization bypass using the Nexx smart home device vulnerability.
- CVE-2023-1750, with a CVSS v3 base score of 7.1, could be exploited to gain more information, including accessing device history, changing affected devices’ settings, and accessing other device-related data.
- CVE-2023-1751, with a CVSS v3 base score of 7.5, hackers can get alarm notifications and signals reaching other connected devices. This improper input validation vulnerability skips validating if the bearer token in the authorization header matches with another device that is trying to connect with it. This puts several connected devices at risk of unauthorized access.
- CVE-2023-1752, with a CVSS v3 base score of 8.1, would allow hackers to connect a registered alarm or any other device only to its MAC address.
Smart and connected devices used in industries and larger enterprises offer extended safety, which can be affected by exploiting the Nexx smart home device vulnerabilities.
Users across the globe, including commercial facilities, especially critical infrastructure sectors, must update the devices to their latest versions and update the patches as they are made available.
The CISA ICS advisory noted that Nexx was working with CISA to patch the vulnerabilities. Users are urged to limit the devices’ network exposure as far as possible and maintain firewalls. They are also asked to access Nexx devices using secure VPNs.
