Smart Garage Company Fixes Vulnerability by Breaking Customers' Devices

A smart garage company has taken a scorched earth approach to cybersecurity, by disabling internet access to its smart lock devices, according to multiple posts on social media by impacted customers. The news comes after Motherboard reported a security researcher found serious issues in the company’s smart locks that allowed hackers to remotely openly garages anywhere in the world across the internet, potentially exposing customers to theft.

“It has come to our attention of a potential internet security vulnerability with the following products: Nexx Garage, Nexx Gate, and Nexx Plug,” an email sent by the company, called Nexx, to customers, reads according to a post on Hacker News. A member of a Facebook Page for Nexx customers wrote a post saying they received a similarly worded email. “As we examine the issue, we are taking proactive action by temporarily disabling internet access remote control” for the products, the message continues.

Instead customers can control their smart locks by Bluetooth, which allows them to be opened within 30 to 50 feet, the message adds.

“I have two NXG100 units that both stopped working at the same time last night.  I disconnected power and reconnected just to see if that would reset it.... that didn't work,” one impacted customer wrote on the Nexx Community Facebook page. “If they don't address their security vulnerabilities, it might be time to move onto another product,” the customer added in another post.

It also appears Nexx has removed items for sale from its website after Motherboard's coverage.

“Completely remote. Anywhere in the world,” Sam Sabetan, the security researcher who found the issues, previously told Motherboard, describing the hack.

In its message to customers Nexx claimed it took “proactive” action. But Sabetan warned Nexx about these vulnerabilities for months in an attempt to responsibly disclose them, according to an email Sabetan shared with Motherboard. On top of that, Motherboard has contacted Nexx about them for weeks. Sabetan said the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) told him it had also attempted contact with Nexx. CISA published its own advisory about the issues on Tuesday.

It appears Nexx actively ignored Sebetan’s warnings. When he didn’t receive a response, he contacted Nexx’s support email and this time said he was looking for help with his own Nexx product. Nexx replied to that email.

“Great to know your support is alive and well and that I’ve been ignored for two months,” Sabetan replied. Please respond to ticket [ticket number,” he wrote, referring to his vulnerability report.

Nexx never did. Sabetan then shared details of the issue with Motherboard, and we published an article discussing them on Tuesday. Only after that did Nexx take steps to mitigate the security risk posed to its customers.

Nexx did not respond to multiple requests for comment sent on Thursday.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.