Open Garage Doors Anywhere In the World By Exploiting This 'Smart' Device (arstechnica.com) 77
An anonymous reader quotes a report from Ars Technica: A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.
The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities.
"Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.
The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities.
"Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.
OK, I'll admit I'm a Luddite (Score:5, Insightful)
Are garage doors "smart" now? Was there something wrong with my system of driving up and hitting the remote hanging from my sun visor? Is this a deal where for some reason I want to involve the internet in opening and closing the garage door? I swear, i feel like we are getting dumber as a species by the day.
Re: (Score:2)
Ever since I took a dive into SDR, my garage door has a handle that I can turn to move a steel bolt from its concrete socket, locked by a pin tumbler with a magnet key.
The more I know about electronic locks, the less I am inclined to trust them.
Re: (Score:2)
Re: (Score:2)
I would rather NOT smash a window in my house. Unless you want to have the police chief over who lives next door.
The thing is that breaking into my house usually entails breaking and entering in a fashion that my alarm will notice. It would not if you open the door in a fashion that could be done by me because you manage to spoof me. Think of it as the difference between smashing a window and unlocking the door with a key.
Re:OK, I'll admit I'm a Luddite (Score:5, Informative)
Yeah..... it's part of the "smart home" automation thing, really. Believe it or not, there are good things about the tech, vs the "dumb" stuff using your remote on your visor.
Primarily? The standard door opener doesn't report back if it's open or closed to the device sending commands to it. (So you get situations like used to happen with me and my wife, where we'd both get home at about the same time after work. I'd press the door opener to open the door to the 2 car garage, and as I was going in? She'd come up the alley from the main road and hit the button, so the door would be open by the time she got to the driveway. That would cause the door to start closing on me.)
Auto makers like Tesla are starting to support the "smart" door opener standard "MyQ" now so there's no more button on the visor to deal with. Instead, the car can send the command to open your door automatically when you get within X number of feet of it and can close it for you as you drive off. But it's also able to be smart about it, so it won't send the command to open if you're driving up to your garage and the door is already left open....
the button may be an dumb change button (Score:2)
the button may be an dumb change button and not 2 buttons with down and up as there own thing
Re:OK, I'll admit I'm a Luddite (Score:5, Insightful)
Primarily? The standard door opener doesn't report back if it's open or closed to the device sending commands to it. (So you get situations like used to happen with me and my wife, where we'd both get home at about the same time after work. I'd press the door opener to open the door to the 2 car garage, and as I was going in? She'd come up the alley from the main road and hit the button, so the door would be open by the time she got to the driveway. That would cause the door to start closing on me.
That's not an argument for adding the internet and a remote server into the requirements for a garage door control. That only proves that your original system was poorly designed. "Open the door" and "close the door" should be separate commands - not the toggle of a single command. This could easily still be handled by a closed, fully local system.
Companies that unnecessarily complicate local processes and involve their remote systems in those processes are almost certainly collecting and selling data about you to someone. And, as a thank you for your data, they are compromising your home's security.
Re: (Score:2)
Well, the original system was poorly designed and somebody decided that while rectifying it, they may as well go on and wifi enable it and make it "connected" for the sake of being a part of a "smart house".
You might say that's unnecessarily complicated.... but I'd say it's still a valid invention that SOME people will want. Among other things, I don't have to leave an opener button sitting in my vehicle where anyone could steal it and gain access to my garage. I can use the app on my phone to open my gar
Re: (Score:2)
that SOME people will want
Sure. The people who like to track what time you usually get home and what time you usually leave in the morning for the purpose of aggregating that data with other data from your smart home in order to better market to you.
Re: (Score:2)
Sure. The people who like to track what time you usually get home and what time you usually leave in the morning for the purpose of aggregating that data with other data from your smart home in order to better market to you.
And I care why? If I am getting home late every night, and suddenly I see ads for food delivery services, maybe that ad might be useful to me. I am going to be force fed an ad anyway, it might as well be a potentially useful one.
(I personally run 2 ad blockers, and do not use a garage door opener.)
My GF loves her smart garage door opener, as she always has her phone on her, and doesn't carry the door remote when walking the dogs. Entering through the garage is much easier for her 3 legged dog.
Re: (Score:2)
I don't have to leave an opener button sitting in my vehicle where anyone could steal it and gain access to my garage. I can use the app on my phone
You have to balance the risks in the attack scenario.
Scenario (A) someone breaking your car window just to steal the remote control so they can enter your house without breaking the door: low probability (there are better scenarios to rob a house assuming a bad actor knows your address and just saw your car is out of the house).
Scenario (B) Probability of the internet-controlled garage door to include backdoors, hardcoded passwords, unpatched vulnerabilities, unsupported OS versions: in excess of 100%. You
Re: (Score:2)
Scenario A is incorrect.
Scenario A is - someone breaks into and/or steals your car for any number of reasons. (Not to specifically get your garage door opener). While committing that crime, they discover they have your address and garage door opener, and decide to commit another one.
You also forgot Scenario C -
without the tech, we sometimes forget to close the garage door in the evening after bringing in the groceries or camping equipment and someone wandering by could grab a bike or tools.
Scenario C is wel
Re: (Score:2)
No. the most likely scenario is that someone owns a modern, fairly high-tech car that is especially vulnerable to auto theft because its internal security system is so faulty that a thief can exploit that very system to start the car, and once the thief knows where the car is parked at night, uses the ability to open the garage door through a script in order to gain access to the car to facilitate stealing it.
Someone looking to steal a $50,000 car either to try to smuggle it out of the country or to cut it
Re: (Score:2)
Someone looking to steal a $50,000 car either to try to smuggle it out of the country or to cut it up for parts is going to have enough ROI on doing this at-scale to make a point of doing that data analysis if it makes their theft easier to pull off.
Or go to any parking lot and just pick one, or drive down any street with street parking and cars parked on driveways, and just pick one.
Targeted boutique theft of special order cars out of the owners garage is a tiny fraction of what goes on. If you are worried about that, how do you ever risk taking the car out at all? The odds of getting into an accident, car jacked, or having it stolen from the mall/movie/grocery store/hotel/wherever you were going is far higher.
Re: (Score:2)
someone breaks into and/or steals your car for any number of reasons. (Not to specifically get your garage door opener). While committing that crime, they discover they have your address and garage door opener
Note that the alternative promoted by the manufacturers is that the car itself communicates with the door. A thief will know which cars have this function and drive by your home and have the garage door open by itself (at least in US where the driveway is open to the street, according to movies).
Your scenario C is only the case of manual doors, which nobody is advocating here. I advocate a motorized system that is local and closes behind you after an amount of time or depending on sensors.
Re: (Score:3)
You forgot Scenario D too - someone comes around and brute forces your old style "closed system" remote garage door opener. Some of these systems have 10 dip switches to set the code - so that's 1024 combos. You can buy a device that will test all of them in about 2 minutes.
Not sure putting these on the internet is the smartest idea, but any remote garage door system probably wasn't that secure to begin with - one of the reasons, at least in this country, that there is usually a separately lockable door bet
Re:OK, I'll admit I'm a Luddite (Score:4, Insightful)
What people want is something that lets them open their garage door from the comfort of their cell phone. Yes, people can want that because they always have their cell phone with them and they don't need 5 other remote controls to open doors or the blinds on the window, turn lights on and off or regulate the heat of their home. Yes, people do want that.
What I highly doubt is that people want that data to travel once around the world to $deity knows whom. And this is where the understanding stops, at least for me. And for the user. I'm fairly sure if you ask the people who own such systems whether they actually know just WHAT is going on, most of them will not. And even if they do, they don't understand the implications because nobody bothered to tell them.
Nobody in their sane mind would agree to a system that works along those lines: "When you open your garage door, what really happens is you send a message to our server in $data_center, which then sends that command to your door. That only works as long as you continue paying for that service, and of course as long as our company exists. If the company goes poof, you're sitting on a pile of worthless e-junk because without our master control server, your whole spiffy automated home becomes a very manual driven home again. And what we do with the data we collect on you is none of your business."
Of course one could argue that controlling this from home is more complicated. But is it? That garage door needs some kind of internet connection already. More likely than not, it's WiFi to the home router, with a phone app that sends a packet to the master control server which then sends a packet to that home router which then WiFis it to the garage door. And that's less complicated, convoluted and error prone than giving the garage door an Access Point that the phone automatically connects to when it's in range so it can send the open code automatically? Hell, if you're daring enough, make it Bluetooth. You could even open the door automatically when it notices you coming into range again if you are lazy enough (and don't really care for your security, which you obviously don't considering that you buy such a phone-home system in the first place).
Quite frankly, I cannot see a reasonable explanation why something like this NEEDS online connectivity.
Re: (Score:2)
Nobody in their sane mind would agree to a system that works along those lines: "When you open your garage door, what really happens is you send a message to our server in $data_center, which then sends that command to your door. That only works as long as you continue paying for that service, and of course as long as our company exists. If the company goes poof, you're sitting on a pile of worthless e-junk because without our master control server, your whole spiffy automated home becomes a very manual driven home again. And what we do with the data we collect on you is none of your business."
Likewise, also not great if the solution to "open your garage door from half a mile away", or "check whether your door is closed anytime" is for the garage mechanism to quietly expose itself to the internet using UPnP thus joining the conga line of IoT devices that quietly radically expose people's home networks to the internet...
I agree the signalling through a central server creates an ongoing dependence to the company that runs that server (and that isn't great), but my $deity there is a lot of terrible
Re: (Score:2)
That there are even worse junk that pierces your home security doesn't really excuse this one.
Re: (Score:2)
Re: (Score:2)
well mr snooty wagon has chimed in, never mind the humble garage door opener has a bistable device for half a century now, lets listen to the "expert" by providing an unnecessary complicated local process in which they have obviously never used
Re: (Score:2)
The other common use case for smart door controls is so that you can be sure the door is shut at night. However, you can do that without putting control of the door on the internet. You just need a magnetic switch or some other sensor that can tell your home automation system when the door is shut, so you can check it before retiring for the night.
Re: (Score:2)
The standard door opener doesn't report back if it's open or closed to the device sending commands to it. (So you get situations like used to happen with me and my wife, where we'd both get home at about the same time after work. I'd press the door opener to open the door to the 2 car garage, and as I was going in? She'd come up the alley from the main road and hit the button, so the door would be open by the time she got to the driveway. That would cause the door to start closing on me.)
My door has a light source on one side and a photocell on the other to check for obstructions between the tracks and won't close if anything is blocking it.
I'll pass on having any of my doors connected to the internet.
Re: (Score:2)
Re: (Score:3)
That wouldn't help you if you are in a truck/SUV that has ground clearance until your tire hits the sensor. If it started closing as you were just a couple feet from entering, you could easily hit the door with the windshield before the door stops and starts reversing from your front tire triggers the optical sensor. And don't just say, well move the sensor up higher, because if you did that your door wouldn't detect if someone fell and was knocked out across the threshold of the garage door (or toddler, or baby crawling, or small cat/dog).
Don't need a truck for that. Even at bumper height on my car a person could lay under the beam. The door is already pretty good at reversing if it hits something anyway (this force is adjustable). I've let it come down on my foot. It does not hurt. Would probably scratch paint on the car though, so I have the sensors set to protect the car.
Might be possible to add a second set of sensors if this was a big worry to you. Have never checked.
Re: (Score:2)
30 years ago I was closing the garage door at my parents house and the cat ran in at the last moment and got squished by the closing door, the door instantly stopped and reversed. cat unharmed (she hissed at it and came to me for pettin's)
its standard basic shit for a garage door opener even before optical sensors, hell my new one I can bump with my hand and it reverses
Re: (Score:2)
Torsion spring is especially important to keep lubricated. Can cause major damage and/or injury if it ever breaks.
Re: (Score:2)
Not everyone can benefit from newer technology, but like a lot of things, while it can improve your life if you know how to use it, you can still live without it
Re: (Score:2)
That would cause the door to start closing on me.
The safety sensors are suppose to detect that situation and immediately stop, so you should get that fixed. Also, tell your wife to SEE if the door is actually closed/open before randomly pressing the button.
Re: (Score:2)
Good luck on that, the wife part I mean.
Re: (Score:2)
The reason Tesla is supporting MyQ is because they stopped installing HomeLink by default. HomeLink is the standard for regular garage door openers that lets you program any compatible remote to work with your opener. Many cars have built-in Homelink openers, always with three buttons to control three different doors. Why three? Because Homelink doesn't license the technical details, they sell a chip that implements it. With MyQ, they let you integrate it at the software layer, so no extra hardware is
Re: (Score:2)
I do get your overall point BTW.
Re: (Score:2)
Yup, that's the main benefit. I have it enabled so I can check if my garage door is open without having to run up and down two flights of stairs. It can also be configured to send alerts when the door is opened, which could be helpful when you're away. I *really* wish it didn't need to go to the cloud for any of this. Okay, alerts when you're away pretty much have to, but I wish I could get
Re: (Score:3)
As for security, people break in manually in seconds. No need to hack the remote. My garage has been broken into twice,. Has the standard lock based system that you can then pull that detaches the door from the opener (handy when the power goes out or your remote opener battery is dead). And when it was broken in I'd see a line of garages in the complex all with the lock hanging down from the wire. The lock never looked broken or bent but likely it was forced rather than picked - stick in a fat screwdr
Re: (Score:2)
What I learned to do is have a secondary lock on the garage door. That way, when the garage door is disconnected, it still has a bolt going through the rail on one side with no corresponding lock on the outside. If someone wants in, they are going to have to slam a car into the door, or go in through the house.
Re: (Score:2)
Re: (Score:2)
Gotta have the latest high tech stuff [youtube.com].
Re: (Score:3)
"Was there something wrong with my system of driving up and hitting the remote hanging from my sun visor?"
Obviously your system fails if you need or want to operate the door without driving up with your opener attached to your sun visor.
I've installed a unit (not a nexx). I've used the app to open it 3 times since installing it. Once when I dropped my car off for service, and had a friend pick me up at the shop and drop me at home, only to realize I'd left the opener in the car at the shop and didn't have a
Re: (Score:2)
As for the issue with the door not closing, and then reopening... Well, that could just be solved by you waiting 15 more seconds to make sure the door closed before you drove away.
Re: (Score:2)
I actually did look at a panel, and for some people its great. The neighbors have one, that their kids use when they come home from school everyday instead carrying a key. But I don't really think it works well for me.
" Your first 2 use cases can be solved with an external keypad to operate the door. "
You want me to remember a code I'm going to use maybe once or twice a year? No thanks.
Plus deal with batteries on something that gets used once or twice a year? No thanks.
"Well, that could just be solved by yo
Re:OK, I'll admit I'm a Luddite (Score:5, Interesting)
Yeah, I also have an "old fashioned" garage door remote. But I've got to admit, there are times when I get a mile or two away from home and wonder, "Did I forget to close the garage door?" In those moments, it might be nice to have a smart door that I can control from anywhere on my phone. BUT as this article shows, the technology isn't really mature enough for me to buy into it.
So for now, as I drive away from the house, I say OUT LOUD "The garage door is closed." Then later, when I have that thought, I remember saying it out loud, and I'm good.
Re: (Score:2)
Are garage doors "smart" now? Was there something wrong with my system of driving up and hitting the remote hanging from my sun visor?
Yes there was something wrong. It was when you drove off and forgot to close the garage door behind you. Maybe you were in a rush, maybe your attention was dedicated to the road not your garage door, maybe your kids were squabbling and you had to interrupt your train of thought to calm them, maybe you're just not a perfect person who always remembers things.
Anyway, a phone app lets you check the status of your door and close it remotely if necessary. It also lets you know if someone has unexpectedly opened
Re: OK, I'll admit I'm a Luddite (Score:2)
I had my dumb garage doors hooked up to my DSC alarm panel years ago. The PGM outputs would open them, the door contacts would tell the open/closed status. There was a motion sensor in the garage and if the garage was left open with no movement, it would email then eventually close automatically. They pgm outputs could be controlled by a keychain fob. The garage was fully detached from the house. If someone wanted into my garage they could easily hack it or use a coat hanger to pull the release or back the
Re: (Score:2)
Yeah, its weird, its like there are some people who leave their house on foot or on *gasp* a bike and want to be able to close the garage door without having to carry a remote. What is the world coming to when people don't just take their car everywhere they go?
Never have anyone else control your home (Score:5, Insightful)
This isn't a garage door opener. What it is is a device that lets you tell someone to open the door for you. That someone has full control over your garage door.
Why the hell do you trust that someone?
This isn't even about whether the way to tell that someone to open your door for you is secure, that problem is way, way simpler than that. Why the hell do you hand the keys to your home to someone you don't even know?
amazon has the delivery choice of useing an smart (Score:2)
amazon has the delivery choice of useing an smart one for delivery
Re: (Score:2)
And it just seems like a dumb idea to allow Amazon access anyway. I suspect in the next extended power outage that some cities will revert to barbarism as their residents will have forgotten how to go shopping, how to prepare meals, how to even purchase items with their now inert phones.
Re: (Score:3)
I admit, there was one scenario where I would have used amazon's service. My in-laws, may they rest in peace, had an enclosed, lockable front porch on their house. It was basically a mudroom without climate control. The door from this space into the house was the actual front door, the door from the outside to this space was also lockable, a storm-door.
But they wouldn't need something high tech for most packages because they had one of those package receiving slots where it would not let the package back
Re: (Score:2)
Bluetooth keys to open garages are a thing except you have to buy them - a garage door reseller never bothered and provided relations with the old kind.
I never discovered if it leaked signals
Re: (Score:2)
Considering that I know very few implementations of the Bluetooth protocol that could be considered secure, I wouldn't get my hopes up. It's a fairly complex protocol and to do it right, one should know what one's doing. I highly doubt that IoT makers who routinely blunder even the simplest security issues would be able to pull something off that even experienced companies routinely botch.
Re: (Score:3)
This isn't a garage door opener. What it is is a device that lets you tell someone to open the door for you. That someone has full control over your garage door.
Why the hell do you trust that someone?
This isn't even about whether the way to tell that someone to open your door for you is secure, that problem is way, way simpler than that. Why the hell do you hand the keys to your home to someone you don't even know?
There's a massive difference between pragmatic and principled concerns when it comes to this topic.
On principle, I understand the concern. Handing your keys to someone else increases the surface area for attack, creates more opportunities for problems, and fails to follow best practices. And online that's a real concern, given that a criminal can employ a single vulnerability to compromise systems en masse from a remote location, yielding huge rewards for minimal effort.
In practice, however, the concerns in
Re: (Score:2)
The reason why it's not more prevalent is simply that so far at least this isn't widespread. With increased adoption rates, you can be certain that such break ins will happen frequently.
I don't think that the proper response to a problem is to hope that it won't get big enough to actually be one. You don't wait for the snow to build up enough for the roof avalanche to kill someone when it comes crashing down.
Re: (Score:2)
The reason why it's not more prevalent is simply that so far at least this isn't widespread. With increased adoption rates, you can be certain that such break ins will happen frequently.
I disagree. The adoption rate for windows that can be smashed open with a trivial effort is nearly 100%, yet break-ins remain infrequent enough that most people will never encounter one. Given that windows are already widespread and that smashing a window remains easier than exploiting a security vulnerability*, we wouldn't see the needle move meaningfully even if these garage doors were widespread.
Your security is only as good as its weakest link. Unless you're reinforcing your doors, putting bars on your
Re: (Score:2)
The reason is maybe that a smashed window creates a noise that in most decent neighborhoods would make your neighbor call the police, while a garage door opening just the way it should will probably not cause that kind of reacion.
Re: (Score:2)
Why the hell do you trust that someone?
You trust that someone to not open your door themselves due to intrinsic desire for them to stay in business and not act like an exit scam in cahoots with thieves.
Now the issue here isn't trust or cloud, it's security. And that isn't out of the ordinary. Most garage door openers are incredibly fucking dumb devices that are trivially spoofed. Kind of like if Masterlock sold padlocks with only 10 different key combinations.
Seriously the remote cloud aspect of a garage door opener is the absolute least of your
Re: (Score:2)
I don't expect the home appliance maker to conspire with burglars, but between them simply locking you out of your home for a bad review [slate.com] and the general state of IoT security being one that is on par with the security levels we had in about 1995, the problem is that your home security is fully dependent on an industry that has not shown so far that trust is something they earned. If anything, repeated incidents have shown that they don't. Now, while it's rare that they simply shut you out of your home (whic
Nexx? (Score:2)
I've had "smart" garage door openers for years, but they've always been using the "MyQ" technology, which LiftMaster and Chamberlain both build into some of their door opener products.
I'm pretty sure they have security vulnerabilities too -- but never even heard of Nexx?
Re: (Score:2)
A quick packet capture of MyQ traffic says it is at least encrypted, appears to be using IPSec.
SimpalTEK LLC (Score:2)
So is this just a chinese manufacturer front name for more insecure junk? Otherwise it is probably a one man operation and can't really do much about this since they probably just stamped their 'Texas' name on some drop-shipped merchandise with a fancy web front.
Also, if you want a secure door - why is the lock on the internet, hell why is it on a network? This crap where
Re: (Score:2)
There is no cloud (Score:5, Insightful)
How lazy can you be? (Score:2)
Despite the marketing of internet connected device manufacturers, all evidence suggests that the level of security is inherently lower for any home safety device connected to the network, and that any convenience does not override this.
Re: (Score:2)
This is the modern equivalent of having a bunch locks of reasonable quality and bitting, and then storing all of the keys in a thin sheet metal enclosure "locked" closed with a three-pin wafer lock, and it's mounted on the wall by hanging it with those slip-on holes down over exposed screw heads where anyone could just lift it up and off of the wall if they tried.
Anywhere in the world... only as long as it's Nexx (Score:2)
Oh Great! (Score:2)
Oh Great! A privacy-giver-upper remote clicker, so you can walk around telling everyone all about yourself!
I predict social media users will buy these and start broadcasting everywhere they go. Assuming you can program it to also say what you had for lunch and include a photo of your cat.
made my own (Score:2)
email sent to nexx owners (Score:2)