Researchers find severe vulnerabilities in garage door openers and other smart devices

TechSpot is about to celebrate its 25th anniversary. TechSpot means tech analysis and advice you can trust.

PSA: A security researcher and US authorities discovered multiple severe vulnerabilities rendering Nexx smart security systems virtually toothless. Those using their devices should find another solution ASAP since Nexx has been radio-silent for two years.

Researcher Sam Sabetan, cooperating with the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), recently published several severe security risks involving Nexx smart home systems. The vulnerabilities allow attackers to quickly seize complete control over garage door openers, smart plugs, and alarm systems from anywhere on Earth.

Nexx offers devices that let users open garage doors, toggle home security systems, and switch smart power outlets on or off through a smartphone app. Earlier this year, Sabetan discovered that the devices’ connections to the company’s cloud use extremely weak security.

When a user registers the Nexx app with the company’s cloud, its servers send a password to the app and device, establishing the connection. Unfortunately, the password is identical for all users. Furthermore, it’s freely available in Nexx’s API and publicly available in each device’s firmware.

Equipped with the password, an attacker with access to Nexx’s servers can remotely open any garage door and switch off devices connected to smart plugs. They can also see users’ email addresses, device IDs, first names, and last initials, allowing hackers to target specific people.

While the home alarm doesn’t suffer from this specific vulnerability, it has two equally serious problems. Any registered Nexx user with an alarm’s MAC address can take over that alarm, and the MAC address isn’t tricky to discover. Nexx’s server doesn’t verify bearer tokens, potentially letting bad actors send signals to users’ alarms. All Nexx alarm MAC addresses begin with the same digits – 7C 9E BD F4 – making the remainder of the address easy to brute-force. Additionally, a hacker with the MAC address can hijack a registered alarm by reregistering it under a rogue account, removing access from the original user, and giving the attacker complete control over the security system.

Sabetan, the DHS, and CISA have tried contacting Nexx on multiple occasions since January with no success. The company’s mobile apps are still functional. Its social media accounts and website are still online but have logged no activity since 2021. More concerning is that Nexx’s official Twitter posted a tweet in April 2021 appearing to advertise a Web3 studio, suggesting someone else gained control of the account.

Despite signs indicating Nexx has dropped off the face of the Earth, the company’s online store still operates, and the garage door opener remains available on Amazon. Even if few new customers buy Nexx’s products, Sabetan estimates their vulnerabilities endanger 40,000 devices and 20,000 active accounts. It suggests users immediately stop using the devices and try to contact Nexx for refunds. The CISA recommends disconnecting the devices from the internet, isolating them from business networks, or accessing them through VPN.

If Nexx is defunct, it represents another case of what happens to IoT devices when manufacturers and software developers abandon their products.

Read More
Randy Pecora

Latest

The foundational elements of AI architecture that IT leaders need to scale

With the rapid progress of AI capabilities and the move to agentic systems, organizations are expanding their use cases as the technology continues to grow. That constant evolution also introduces risk, leaving IT leaders to wonder which investments will prove valuable even six months into the future. Returning to the foundational elements of AI architecture—the

Google and RWE back Proxima Fusion in record €411mn round

Munich-based Proxima Fusion has raised €411mn ($468mn), the largest private fusion round Europe has ever seen and a rare vote of confidence in a technology that has yet to produce a watt of commercial power. The deal values the stellarator company at €2.4bn and brings in Google and German utility RWE as strategic backers. XTX Ventures and

Here’s What Happened at the Men’s Health Lab 2026

7 min read ON AVERAGE, MEN live about five years shorter than women do, said Richard Dorment, editorial director of Men’s Health and Women’s Health, at the start of this year’s Men’s Health Lab held on June 16, 2026, at Hearst Tower in New York City. But the opportunity to prevent disease has never been

12 Nurses Say They Are Being Replaced by AI

You don't have permission to access "http://www.medpagetoday.com/nursing/nursing/122039" on this server. Reference #18.8651c317.1783501982.45cd2875 https://errors.edgesuite.net/18.8651c317.1783501982.45cd2875

Newsletter

Don't miss

The foundational elements of AI architecture that IT leaders need to scale

With the rapid progress of AI capabilities and the move to agentic systems, organizations are expanding their use cases as the technology continues to grow. That constant evolution also introduces risk, leaving IT leaders to wonder which investments will prove valuable even six months into the future. Returning to the foundational elements of AI architecture—the

Google and RWE back Proxima Fusion in record €411mn round

Munich-based Proxima Fusion has raised €411mn ($468mn), the largest private fusion round Europe has ever seen and a rare vote of confidence in a technology that has yet to produce a watt of commercial power. The deal values the stellarator company at €2.4bn and brings in Google and German utility RWE as strategic backers. XTX Ventures and

Here’s What Happened at the Men’s Health Lab 2026

7 min read ON AVERAGE, MEN live about five years shorter than women do, said Richard Dorment, editorial director of Men’s Health and Women’s Health, at the start of this year’s Men’s Health Lab held on June 16, 2026, at Hearst Tower in New York City. But the opportunity to prevent disease has never been

12 Nurses Say They Are Being Replaced by AI

You don't have permission to access "http://www.medpagetoday.com/nursing/nursing/122039" on this server. Reference #18.8651c317.1783501982.45cd2875 https://errors.edgesuite.net/18.8651c317.1783501982.45cd2875

Bitcoin News: Dave Portnoy Vows to Hold Bitcoin to Zero After Buying at $100K

Bitcoin News: Dave Portnoy Vows to Hold Bitcoin to Zero After Buying at $100K Author Ahmed Barakat Author Ahmed Barakat Part of the Team Since Aug 2025 About Author Ahmed Balaha is a journalist and copywriter based in Georgia with a growing focus on blockchain technology, DeFi, AI, privacy, digital assets, and fintech innovation. Fact

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom