Open garage doors anywhere in the world by exploiting this "smart" device
A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them is advising anyone using one to immediately disconnect it until they are fixed.
Each $80 device used to open and close garage doors and control home security alarms and smart power plugs employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.
The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow the opening of a door, turning off a device connected to a smart plug, or disarming an alarm. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities.
"Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," the researcher who discovered the vulnerabilities wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue."
The researcher estimates that more than 40,000 devices, located in residential and commercial properties, are impacted and more than 20,000 individuals have active Nexx accounts [...]
[...] Researcher Sam Sabetan found that devices use the same password to communicate with the Nexx cloud. What's more, this password is easily attainable simply by analyzing the firmware shipped with the device or the back-and-forth communication between a device and the Nexx cloud.
"Using a universal password for all devices presents a significant vulnerability, as unauthorized users can access the entire ecosystem by obtaining the shared password," the researcher wrote. "In doing so, they could compromise not only the privacy but also the safety of Nexx's customers by controlling their garage doors without their consent."
When Sabetan used this password to access the server, he quickly found not only communications between his device and the cloud but communications for other Nexx devices and the cloud. That meant he could sift through the email addresses, last names, first initials, and device IDs of other users to identify customers based on unique information shared in these messages.
But it gets worse still. Sabetan could copy messages other users issued to open their doors and replay them at will—from anywhere in the world. That meant a simple cut-and-paste operation was enough to control any Nexx device no matter where he or it was located.
A proof-of-concept video from the article
(Score: 4, Interesting) by Mojibake Tengu on Friday April 07, @09:07AM (3 children)
If I was a rich criminal gang Boss, I'd put at least one trusted loyal follower as stupid developer in every local IoT maker corporation out there, and call him enabler.
Exactly same model like those HR infiltrations the Agencies regularly do to established corporations.
Then, by virtue of Patience, sooner or later a treasure trove could be collected somewhere out there without any hassle.
I call this a sabotage, nothing less. Critical software without personal responsibility is a joke. Legal concept of plausible denial in case of sabotage is a joke too.
Do you bet your very home, the lives of your loved ones, your very life, on someone's opaque software?
This kind of failure is worth of bloody heads of whole dev team on pikes together with heads of their managers...
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 1, Interesting) by Anonymous Coward on Friday April 07, @01:14PM
> Do you bet your very home, the lives of your loved ones, your very life, on someone's opaque software?
No. The garage door opener here is plugged into a switched outlet shared with the garage light. Switch is inside the house and has to be on for the opener to work. We switch it off when we're home (or away for any extended period).
The old opener has been very reliable, but isn't very secure. It's the type with a code set by shorting header pins with jumpers...but I'd rather have this one than one that is "value-engineered" (unreliable) and "smarter".
https://www.newark.com/fischer-elektronik/cab-4-gs/jumper/dp/34M5354 [newark.com]
(Score: 2) by Thexalon on Friday April 07, @04:13PM
Why bother? It's not like the IoT makers won't do that on their own, on the grounds of "release now, security is a maybe thing for later on".
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by krishnoid on Friday April 07, @05:38PM
Never hurts [schlockmercenary.com] to make sure the wheels are well-lubricated [youtube.com], I guess.
(Score: 5, Insightful) by driverless on Friday April 07, @09:41AM
By disconnecting your Nexx you're putting it into the state it should have shipped from the factory as. I mean, this is a device that allows you, or someone else, to remotely open your garage door and disarm your alarm from anywhere on the planet rather than just, you know, when you're sitting outside your garage. Who actually thought this was a good idea for a device to do in the first place? And beyond that, who thought paying money for something that does this was also a good idea?
(Score: 2) by fraxinus-tree on Friday April 07, @11:23AM (6 children)
On the other hand, this is why Tasmota, MQTT and related projects do exist.
(Score: 2) by canopic jug on Friday April 07, @11:49AM (5 children)
Is it still possible to do MQTT over TLS?
Money is not free speech. Elections should not be auctions.
(Score: 2) by DannyB on Friday April 07, @02:48PM
A far more important question is to ask if it was ever possible to use the finger protocol over TLS?
How often should I have my memory checked? I used to know but...
(Score: 2) by fraxinus-tree on Friday April 07, @06:09PM (3 children)
What's the issue with MQTT over TLS?
(Score: 2, Disagree) by canopic jug on Saturday April 08, @02:21AM (2 children)
If I read correctly, the libraries have been modified so that you may not use self-signed certificates any more. This means that at least part of the network must be Internet-facing and/or you must pay to integrate an external certificate instead. In both cases you risk losing integrity, confidentiality, and privacy.
Money is not free speech. Elections should not be auctions.
(Score: 2) by gnuman on Sunday April 09, @12:38PM (1 child)
Self-signed certificates are BS that should never be allowed. They allow for broken security. The real answer,
1. make a CA cert and put it on your hardware
2. generate a cert for each of the pieces of equipment based on this CA
3. done
Use GUI software like `xca` to do this.
OR how do you use your self-signed cert? You put the server public cert on all the clients? Because that's easier than just having 1 CA? Or do you just go "don't bother verifying certificates because there is definitely no MITM". Might as well use telnet if you do this.
(Score: 2) by canopic jug on Monday April 10, @03:09AM
Self-signed means not that the certificate is signing itself but that the organization or institution is backing its own certificates.
1. make a CA cert and put it on your hardware
2. generate a cert for each of the pieces of equipment based on this CA
3. done
My knowledge is lacking, and I'm probably using the wrong terminology, but whatever it is called that is the exact approach which I was complaining about having ceased to be allowed in some tools. Some tools still allow it, such as Mosquitto. Others like Paho MQTT seem to prevent that approach starting fairly recently.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by DannyB on Friday April 07, @03:03PM (4 children)
How can something be designed and actually implemented with so many obvious flaws? Multiple people had to be involved with different areas of "expertise" to use the term generously. It required development of two mobile apps (Android / iOS). It required development of garage door opener hardware. It involved the cloud, probably with containers. It required databases.
How could so many "smart" people screw this pooch so badly?
Seeing the state of the world, I cannot dismiss the possibility that this is the result of plain ol' corporate greed. Regulations anyone? I have suggested here in the past, but not recently, that with the number of SHIoT[1] incidents we've seen in the past, that maybe any liability should fall directly onto the product manufacturer. After all, they could have insurance. An insurance underwriter is going to have a real incentive to do some design review for any obvious flaws. Did this product have any obvious design flaws? Ignoring the insurance issue, the manufacturer is squarely to blame. They should take some measures to ensure security if they are going to be on the hook for ensuing damages. There should be civil liability. The manufacturer could certainly argue in court that they had actually made a great deal of effort to take security very seriously -- except for this product.
If this clown circus of a design was no accident, then maybe it was part of a grand plan to be able to do drive by garage and home invasion thefts? Or maybe even just one specific home was the target?
If you're going to mis-design a product for quick unjust gain, you should at least do so in an ethical and responsible manner.
[1]SHIoT = Security Hardened Internet of Things
How often should I have my memory checked? I used to know but...
(Score: 3, Informative) by mhajicek on Friday April 07, @05:09PM
In most companies designing products, the multitude of smart engineers all answer to one or more non-engineers with MBAs. MBA says skip that, you skip it, if you want to keep your job.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 0) by Anonymous Coward on Friday April 07, @07:28PM
> [1]SHIoT = Security Hardened Internet of Things
IOTTS = Internet Of Things That Suck
I guess this could be expanded to IDIOTTS = IDiotic Internet Of Things That Suck
(Score: 2) by ChrisMaple on Sunday April 09, @02:47AM (1 child)
In all too many cases, particularly with young fast-moving companies, one engineer is responsible for a product's design. He barely knows enough to make the product work and has no clue about security. His manager doesn't even know the questions to ask, and is under pressure to get the product ready quickly and inexpensively.
OTOH, Nexx has 150 employees, so they ought to have somebody who's responsible for seeing that security gets done right. Their web pages emphasize security and U.S. based operation. That they are failing to respond to both private and government pressure implies that there's something badly irresponsible going on.
(Score: 2) by DannyB on Sunday April 09, @02:38PM
If they had product liability for inept security, that would tend to focus the attention of management.
How often should I have my memory checked? I used to know but...
(Score: 5, Insightful) by istartedi on Friday April 07, @04:02PM (2 children)
They ask me why I...
...put tape over the camera on my PC.
...have a feature phone.
...aren't interested in "smart home" features.
...don't enable online banking.
"You're in to technology. You were a software engineer. What do you mean you don't want that?".
Yes. It's precisely because I did this. I know how the sausage is made. No thanks.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1, Interesting) by Anonymous Coward on Friday April 07, @09:27PM (1 child)
> I know how the sausage is made. No thanks.
Oddly enough, I had a private tour of a sausage factory, along with a small group that were looking for applications for their automation product. We all agreed in advance that we were likely to never eat sausage again after the tour.
In fact it was just the opposite, the place was spotless, workers were cheerful (not likely to be spitting into the mix!), cold processing and packaging took place in refrigerated rooms. The big ovens, various meat grinders/mixers, tube-fillers and staging areas were steam cleaned daily or more frequently. The manager that gave the tour noted that bones were the most likely part of an animal to carry bad bacteria...and for that reason all butchering was done before the meat came to the sausage plant, they never had bones on the premises.
Afterwords our little tour group all agreed that we'd eat sausage from _that_ plant any day.
Moral? Not all adages are true in all cases?
(Score: 3, Informative) by istartedi on Friday April 07, @09:43PM
It's an old idiom of course, and unlike I previously thought it does not come from Upton Sinclair's The Jungle, but apparently has earlier origins [stackexchange.com]. I guess for a long time everybody thought sausage had issues, and Sinclair just confirmed it in gory detail. And that's why the factory you saw, assuming it's in the USA, is kept clean. Not that there aren't lobbyists continuously trying to break that down and Make America Gag Again, but I don't think they've gotten for enough for me to dismiss the occasional patty or link entirely.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Frosty Piss on Friday April 07, @06:13PM
The *ONLY* reasonable conclusion it that these "flaws" were specifically designed into this thing intentionally. The question is why? It's not "incompetence", for some reason they wanted it this way.
(Score: 2) by Freeman on Monday April 10, @02:44PM
The S in IoT stands for Security.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"