back to article It's this easy to seize control of someone's Nexx 'smart' home plugs, garage doors

A handful of bugs in Nexx's smart home devices can be exploited by crooks to, among other things, open doors, power off appliances, and disable alarms. More than 40,000 of these gadgets in residential and commercial properties are said to be vulnerable after the manufacturer failed to act. After the Internet-of-Things biz …

  1. b0llchit Silver badge
    Mushroom

    Where is the product liability

    ...issued an advisory due to the lack of support from the manufacturer.

    Shouldn't this be called criminal negligence? The C-suite should be personally liable for this crap.

    1. John Brown (no body) Silver badge

      Re: Where is the product liability

      Under current EU and UK consumer law, this may well be a "manufacturing defect" and allow owners to return them to the retailer for repair, replace or refund if less than two years old or a partial refund if 2-5 years old assuming repair or replace isn't an option. Unless the manufacturer provides a firmware update to remove the defects. If any of the marketing, advertising or user manuals refer to anything like "secure login" or mentions "secure" almost anywhere, that's a good place to start with reference to "of merchantable quality" or "as described". IANAL, if taking on the retailer or manufacturer, do your own research and/or get proper legal advice :-)

    2. TeeCee Gold badge
      Holmes

      Re: Where is the product liability

      My guess:

      They've looked at the cost of fixing all this, the loss of sales from the bad publicity and the existing, unfunded, running costs for their servers. They've decided that now is the right time to execute plan B; take all the remaining cash and run for it.

      (We need an IoT/Ponzi scam icon).

      1. I could be a dog really Bronze badge

        Re: Where is the product liability

        Keep an eye out for the "end of support" announcement ...

  2. Howard Sway Silver badge

    the manufacturer didn't respond to our requests

    Perhaps someone remotely turned off their email server.

  3. Flak
    Flame

    Elementary, Watson!

    Why, why why?!!! Hard coded credentials?

    Because security is still not taken seriously by some. Agree with b0llchit that there should be some financial consequences for the manufacturer.

    1. Michael Wojcik Silver badge

      Re: Elementary, Watson!

      The problem is that financial consequences mostly aren't consequential. If the fines are small, the company shrugs them off. If they're large, it declares bankruptcy, parachutes out the officers, and the remnants are bought up by a competitor. Many of the employees suffer, including perhaps some of the responsible developers, but not the people calling the shots.

      In cases of extreme negligence like this we need the courts to pierce the corporate veil and hold officers to account. I'm not worried about any "chilling effect" on business or innovation; corporatist culture has no shortage of adherents who will be happy to take their place.

      1. Doctor Syntax Silver badge

        Re: Elementary, Watson!

        "it declares bankruptcy, parachutes out the officers"

        If it's a listed company the shareholders might sue the management.

        The longer term advantage, however, is that even the most recalcitrant board might start to take notice, realise that it can be a threat and start looking at their own products and processes.

      2. nintendoeats Silver badge

        Re: Elementary, Watson!

        I think innovation could do with some chilling. A few years of stability would be nice.

    2. Terry 6 Silver badge

      Re: Elementary, Watson!

      This sounds like they opted for an easy to use set of remote switches for stuff, but without bothering to make it secure. Like a remote control version of having a button on the garage wall so you can open it when you want get the car out, but without a lock to keep strangers out.

    3. ian 28

      Re: Elementary, Watson!

      I’ve worked in several places where the deadlines are dictated by management and not how long myself and fellow devs say how long things will take. In these cases we’re forced to do bodge jobs and take shortcuts. They often don’t care if it’s a complete bodge job under the hood as long as it looks ok on the surface.

      I’m always sure to use a CYA Note though (an email explaining I’m being forced to do something improperly and explaining the consequences)

      1. Killfalcon

        Re: Elementary, Watson!

        The most useful bit of my CS degree course was the Business Realities module. It was 50/50 split between hilarious specification failures and advice on how to interact with corporate structures. I very clearly recall the lecture on CYA Notes, twenty years after.

  4. alain williams Silver badge

    If you live in the UK

    You can get it repaired under the The Consumer Rights Act 2015. However since, I suspect, that a fix will never be forthcoming then ask for your money back from the retailer.

    I wish that many people would do this because it will make the retailers only sell goods from reputable manufacturers who have a good history of: a) selling stuff that works; b) providing fixes for things like this. Currently many retailers sell whatever is cheap and try to fob off consumers when things are found to be faulty.

    1. Andy Non Silver badge

      Re: If you live in the UK

      I suspect most consumers will never know their kit is vulnerable and will carry on using it regardless, unless things hit the fan or there is huge publicity about the failings of the kit.

    2. DS999 Silver badge

      Re: If you live in the UK

      it will make the retailers only sell goods from reputable manufacturers who have a good history of ...

      So they will only sell products from major OEMs and the next Nest or iRobot type startup will never get a foot in the door because retailers would be justifiably afraid to offer products from a small OEM with no track record who might declare bankruptcy rather than fix something that would cost too much leaving retailers holding the bag for refunds.

      Sorry but I don't see holding the retailer liable as a viable fix.

      1. skwdenyer

        Re: If you live in the UK

        It doesn’t matter whether you like it or not; the law already exists :)

        Perhaps retailers might start buying insurance to protect themselves, and/or insisting manufacturers do likewise.

        Product liability isn’t a new concept. But tech sometimes just likes to hide behind a “software isn’t guaranteed to be bug-free” line somewhere & we’ve all-so-readily bought into the idea.

        1. nobody who matters

          Re: If you live in the UK

          ".............Product liability isn’t a new concept............."

          It does sometimes appear to some of us who don't live there, that it is an alien concept to large swathes of corporate USA.

          As far as the article goes, any truly smart home, will not have any 'smart' devices in it ;)

      2. John Brown (no body) Silver badge

        Re: If you live in the UK

        "Sorry but I don't see holding the retailer liable as a viable fix."

        That's how the law stands. The customers contract is with the retailer, not matter what any included "warranty cards" in the box might say. The manufacturer may have no presence in the local country so how is the customer supposed to get any sort of warranty service if not from the retailer?

      3. sten2012

        Re: If you live in the UK

        It's just corporate risk shifting, like everything.

        Retailer fights it, but ultimately they should have done their due diligence that this is covered by the manufacturers or more likely in this case, importers, insurance in the UK. The importers insurance then carries that on overseas to the manufacturers etc. Either they have or need to learn that lesson in retail.

        Start ups should have the same insurance, so they can shift the risk off the retailers and the insurers should be doing more due diligence too, that they shouldn't have to pay our because this stuff should be secure in the first place by demanding reports from third party pentesters, if those reports are misleading then their professional liability kicks in... It looks inefficient on first glance but when the efficient option involves marking your own homework or having to sue people outside of legal reach - it starts to suddenly look much better for the ol' consumers.

        The failure for anyone to give a crap about this structure is what leads to this mess - retailers pushing crap not caring what the state of it is and no real means themselves to check it, and the manufacturer knowing they can stonewall and file bankruptcy after draining the funds out year on year so the companies are always carrying no spare cash.

        Ultimately the retailer needs some comeuppance so they start putting some thought in and get the whole chain involved.

        That doesn't block people from entering the market.

        The other option is criminal prosecution which I don't hate the idea of but even if it exists it would be hard to prove this negligence, or lack thereof in cases where best efforts really were made. Either guilty parties generally walk free, or people that really tried are prosecuted for cases they shouldn't be.

        Personally, I think there is room for both but it starts with retailer responsibility as the baseline course of action

        1. I could be a dog really Bronze badge

          Re: If you live in the UK

          it would be hard to prove this negligence

          In general yes, but hard coded credentials - that's a slam dunk as our US friends would say.

          In fact, of those listed, I'm not sure any of the weaknesses would be something that could be defended as having made best efforts - they really are from the "basics of device security 101, chapter 1".

  5. Pascal Monett Silver badge

    "vulnerable Nexx smart home products use hard-coded credentials"

    Also known as : hacker paradise.

    And the company isn't responding to any questions, official or otherwise ? Well duh, the CEO is busy packing the suitcase with the contents of the cash register and bank account.

    He has an urgent meeting in Madagascar, you see.

  6. ecofeco Silver badge

    I never get tired of saying it

    So? How's that cloud thing working for ya?

    1. simonlb Silver badge

      Re: I never get tired of saying it

      Not very well. And until there is a specific, inherently secure and fully security focused IoT protocol developed, tested and adopted as the industry standard so that every device is completely vendor agnostic and works flawlessly with all other devices using the same protocol, it will never work either securely or reliably.

      They spend more time on designing the UI for their 'App' to manage their crap devices than they do in seeing how secure they are. And they never will be without the correct protocol to use.

      1. Anonymous Coward
        Anonymous Coward

        Re: I never get tired of saying it

        "fully security focused IoT protocol"

        Not my line, but: Always remember, the "S" in "IoT" stands for "security"!

  7. sarusa Silver badge
    FAIL

    US Company

    Looking at their website, they brag about how they're a US company with 'smart engineers' who are 'experts in IoT' (lawl).

    But that cuts both ways - If they were a Chinese company making IoT stuff this complete lack of security would just be working as expected, but instead people are actually upset about it.

  8. Anonymous Coward
    Anonymous Coward

    A US Company?

    More Likely its a PoBox and front company/US hosting server held by a Chinese company that sacked all its staff and just carried on manufacturing junk up until they go under and vanish.

    1. Grinning Bandicoot

      Re: A US Company?

      The company selling the product is local and can prove it by all the stored shipping containers from the PRC. Mostly assembled with final assembly being MADE IN USA decal.

  9. This post has been deleted by its author

  10. unaware

    Is it a coincidince that this Sam works for Amazon ? A dinosaur company with huge stakes in IoT and smart home, trying to crush small companies that cannot afford millions for secuity ?. Perhaps Amazon wants their product by an easy take over after their declaration of bankruptcy ?Perhaps the register can elaborate on this ?

    1. seldom

      You forgot the troll icon.

  11. Anonymous Coward
    Anonymous Coward

    Ya pays ya money

    Ya takes ya chances

    1. Anonymous Coward
      Anonymous Coward

      Re: Ya pays ya money

      Ya pays ya money Ya go for that so smart and convenient IoT crap?

      Ya get screwed.

      .

  12. Anonymous Coward
    Anonymous Coward

    The Cloud

    Other peoples computers you have no control over

  13. Anonymous Coward
    Anonymous Coward

    Remote Control Lights

    I have a supermarket sourced light in my front room. Has a remote control to turn it on and off.

    I decided to add it to my "Home Assistant" home automation setup. Zero security. Now I don't only turn my lights on and off, but also on of my neighbours. And someone's doorbell....

    1. John Brown (no body) Silver badge

      Re: Remote Control Lights

      I remember years ago when my MIL bought a wireless doorbell and asked my to fit it. It had only 3 channel options. Tried Ch. 1 and the neighbour next door, who had recommended it to her, came out wondering who was at her door. Tried Ch. 2 and another neighbour, two doors down the other way came to the door. Last chance, tried Ch. 3 and a neighbour across the road came to his door, wondering who had rung his bell. Took it back to the shop and had a bit of an argument convincing the shop assistant that no, it was useless since it could not be set to a channel that didn't ring other peoples door bells. "We've sold loads of them and no one ever brought one back before"" she tells me. LOL, well expect more if you sell lots of them.

      It's just as well I was installing at the weekend when the neighbours were at home. If I'd done it mid-week, it might have been days, weeks even months of confusion and hilarity in that street before anyone twigged :-) Absolutely no security of any kind in this case. And bell push could operate any bell with a 1 in 3 chance of already being on the correct channel. Great for kids playing knocky door neighbours with far less chance of being caught!

  14. Anonymous Coward
    Anonymous Coward

    Big Picture Missing........

    Another detailed article about "security" which fails to address some real issues:

    (1) Does the smartphone "app" require a customer to create login details on a "cloud" server?

    (2) If "yes", then the server environment is a serious security risk

    (3) If "no", then presumably all customers look the same on the internet

    Either way, the IoT environment described here is a security nightmare.

    Six years ago I bought a Linksys EA7500 WiFi router. This device required me to create an account on a Linksys server somewhere. You know, name, address, etc....plus my IP address available to Linksys during the creation process. I eventually found a way of configuring the router COMPLETELY OFF THE INTERNET......but this required a series of pretty unnatural acts! My take on this story is simple.....Linksys made it impossible for ordinary users to configure the router WITHOUT DISCLOSING PERSONAL INFORMATION. I wonder why!! In the end I reset to router to "factory settings" and gave it to the local charity shop.

    This news item......six years later......a different manufacturer.......has exactly the same character. Why does El Reg focus on the detail......and never mention the big picture?

    1. Anonymous Coward
      Anonymous Coward

      Re: Big Picture Missing........

      Whether the server is or isn’t in “the cloud” is irrelevant. There is piss poor security everywhere.

      You configured a WiFi router off THE INTERNET, and then connected it TO THE INTERNET, thus enabling all the back doors and default login / passwords that you didn’t know about.

  15. L3

    IOT == Internet Of Tat

    See title

    1. xyz Silver badge

      Re: IOT == Internet Of Tat

      I use LoRaWan to receive my IoT data and throw the data via https to my model bound web services. It's all a bit restrictive (3 huge device codes to register for each device) but it works fine.

      I cringe though when I see all those ads on the telly for home security set ups that are using zigbee or similar in small flat environments and wonder how many passwords are 12345678.

      1. J. Cook Silver badge
        Trollface

        Re: IOT == Internet Of Tat

        That's the same combination as my luggage!

  16. Ken Moorhouse Silver badge

    This is a real hot potato

    Or not, if it were to be driving my Slow Cooker.

  17. sten2012

    Government should probably seize all their IP and open source it as penalty so the customers aren't screwed.

    Never happen though..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like