Security News > 2023 > April > It's this easy to seize control of someone's Nexx 'smart' home plugs, garage doors
A handful of bugs in Nexx's smart home devices can be exploited by crooks to, among other things, open doors, power off appliances, and disable alarms.
The five vulnerabilities affect Nexx garage door controllers with firmware version nxg200v-p3-4-1 and prior; Nexx smart plugs version nxpg100cv4-0-0 and prior; and Nexx smart alarms version nxal100v-p1-9-1 and prior.
Essentially, vulnerable Nexx smart home products use hard-coded credentials.
An unauthenticated attacker can use these credentials to access Nexx's Message Queuing Telemetry Transport server - MQTT is the messaging protocol Nexx garage door controllers, smart plugs, and other IoT devices use.
In this case, an attacker just needs someone's NexxHome deviceId to send instructions to that person's smart home device, via the Nexx API, and the hardware will just obey it.
This could allow any Nexx user with a valid authorization token from a single device to control any smart home alarm.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/04/07/cisa_nexx_iot_flaws/