Multiple vulnerabilities in Nexx smart devices have been discovered, which can be exploited to control garage doors, disable home alarms, or smart plugs. The vulnerabilities include the use of universal credentials hardcoded in the firmware, allowing attackers to remotely control any customer’s devices. This vulnerability can also be used to identify Nexx users and collect sensitive information.
Due to the severity of the issue, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert. Nexx has yet to acknowledge and fix the vulnerabilities, and attempts to report the flaws have been ignored. Mitigation measures include disabling internet connectivity, placing devices behind firewalls, and only accessing or controlling devices through a VPN connection that encrypts data transmissions.