Nexx is a manufacturer of “smart” devices – plus, alarms, garage door openers, that kind of thing.
Unfortunately their response to vulnerabilities is not-so-smart. According to a blog post by security researcher Sam Sabetan, Nexx not only ignored his warning about serious security holes in its products, but has ignored attempts by the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to get the problems fixed too.
So what are the security issues?
According to Sabetan and >CISA, Nexx devices suffer from serious vulnerabilities that could allow an attacker to receive sensitive information, make API requests, or hijack devices.
Meaning a hacker could remotely open or close the garage door, seize control of alarms, and switch on (or switch off) customers’ “smart” plugs.
That’s all pretty bad.
To make matters worse, over 40,000 devices, located in both residential and commercial properties, are said to be vulnerable.
But what’s utterly reprehensible is that Nexx appears to have completely ignored attempts by the security researcher and the Department of Homeland Security to raise the issue, and has not warned its customers about the problem.
As Sabetan puts it:
“Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media. Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue.”
Any company selling IoT devices needs to take the security and safety of its customers seriously. It’s easy to see that Nexx has failed to do that.
Don’t buy Nexx products. If you’re already a customer, disconnect them, ask for your money back, or chuck them in the trash.