6

Open Garage Doors Anywhere In the World By Exploiting This 'Smart' Device - Slas...

 1 year ago
source link: https://it.slashdot.org/story/23/04/05/2022251/open-garage-doors-anywhere-in-the-world-by-exploiting-this-smart-device
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Open Garage Doors Anywhere In the World By Exploiting This 'Smart' Device

Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area.
×
An anonymous reader quotes a report from Ars Technica: A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow a door to be opened, a device connected to a smart plug to be turned off, or an alarm to be disarmed. Worse still, over the past three months, personnel for Texas-based Nexx haven't responded to multiple private messages warning of the vulnerabilities. "Nexx has consistently ignored communication attempts from myself, the Department of Homeland Security, and the media," Sabetan wrote in a post published on Tuesday. "Device owners should immediately unplug all Nexx devices and create support tickets with the company requesting them to remediate the issue." Sabetan estimates that more than 40,000 devices, located in residential and commercial properties, are impacted, and more than 20,000 individuals have active Nexx accounts.

Are garage doors "smart" now? Was there something wrong with my system of driving up and hitting the remote hanging from my sun visor? Is this a deal where for some reason I want to involve the internet in opening and closing the garage door? I swear, i feel like we are getting dumber as a species by the day.

Re:

Ever since I took a dive into SDR, my garage door has a handle that I can turn to move a steel bolt from its concrete socket, locked by a pin tumbler with a magnet key.

The more I know about electronic locks, the less I am inclined to trust them.

Yeah..... it's part of the "smart home" automation thing, really. Believe it or not, there are good things about the tech, vs the "dumb" stuff using your remote on your visor.

Primarily? The standard door opener doesn't report back if it's open or closed to the device sending commands to it. (So you get situations like used to happen with me and my wife, where we'd both get home at about the same time after work. I'd press the door opener to open the door to the 2 car garage, and as I was going in? She'd come up the alley from the main road and hit the button, so the door would be open by the time she got to the driveway. That would cause the door to start closing on me.)

Auto makers like Tesla are starting to support the "smart" door opener standard "MyQ" now so there's no more button on the visor to deal with. Instead, the car can send the command to open your door automatically when you get within X number of feet of it and can close it for you as you drive off. But it's also able to be smart about it, so it won't send the command to open if you're driving up to your garage and the door is already left open....

  • the button may be an dumb change button and not 2 buttons with down and up as there own thing

  • Primarily? The standard door opener doesn't report back if it's open or closed to the device sending commands to it. (So you get situations like used to happen with me and my wife, where we'd both get home at about the same time after work. I'd press the door opener to open the door to the 2 car garage, and as I was going in? She'd come up the alley from the main road and hit the button, so the door would be open by the time she got to the driveway. That would cause the door to start closing on me.

    That's not an argument for adding the internet and a remote server into the requirements for a garage door control. That only proves that your original system was poorly designed. "Open the door" and "close the door" should be separate commands - not the toggle of a single command. This could easily still be handled by a closed, fully local system.

    Companies that unnecessarily complicate local processes and involve their remote systems in those processes are almost certainly collecting and selling data about you to someone. And, as a thank you for your data, they are compromising your home's security.

    • Re:

      Well, the original system was poorly designed and somebody decided that while rectifying it, they may as well go on and wifi enable it and make it "connected" for the sake of being a part of a "smart house".

      You might say that's unnecessarily complicated.... but I'd say it's still a valid invention that SOME people will want. Among other things, I don't have to leave an opener button sitting in my vehicle where anyone could steal it and gain access to my garage. I can use the app on my phone to open my gar

      • Re:

        Sure. The people who like to track what time you usually get home and what time you usually leave in the morning for the purpose of aggregating that data with other data from your smart home in order to better market to you.

        • Re:

          And I care why? If I am getting home late every night, and suddenly I see ads for food delivery services, maybe that ad might be useful to me. I am going to be force fed an ad anyway, it might as well be a potentially useful one.

          (I personally run 2 ad blockers, and do not use a garage door opener.)

          My GF loves her smart garage door opener, as she always has her phone on her, and doesn't carry the door remote when walking the dogs. Entering through the garage is much easier for her 3 legged dog.

      • Re:

        You have to balance the risks in the attack scenario.
        Scenario (A) someone breaking your car window just to steal the remote control so they can enter your house without breaking the door: low probability (there are better scenarios to rob a house assuming a bad actor knows your address and just saw your car is out of the house).
        Scenario (B) Probability of the internet-controlled garage door to include backdoors, hardcoded passwords, unpatched vulnerabilities, unsupported OS versions: in excess of 100%. You

        • Re:

          Scenario A is incorrect.

          Scenario A is - someone breaks into and/or steals your car for any number of reasons. (Not to specifically get your garage door opener). While committing that crime, they discover they have your address and garage door opener, and decide to commit another one.

          You also forgot Scenario C -
          without the tech, we sometimes forget to close the garage door in the evening after bringing in the groceries or camping equipment and someone wandering by could grab a bike or tools.

          Scenario C is wel

          • Re:

            No. the most likely scenario is that someone owns a modern, fairly high-tech car that is especially vulnerable to auto theft because its internal security system is so faulty that a thief can exploit that very system to start the car, and once the thief knows where the car is parked at night, uses the ability to open the garage door through a script in order to gain access to the car to facilitate stealing it.

            Someone looking to steal a $50,000 car either to try to smuggle it out of the country or to cut it

    • Re:

      well mr snooty wagon has chimed in, never mind the humble garage door opener has a bistable device for half a century now, lets listen to the "expert" by providing an unnecessary complicated local process in which they have obviously never used

  • Re:

    My door has a light source on one side and a photocell on the other to check for obstructions between the tracks and won't close if anything is blocking it.

    I'll pass on having any of my doors connected to the internet.

    • Re:

      That wouldn't help you if you are in a truck/SUV that has ground clearance until your tire hits the sensor. If it started closing as you were just a couple feet from entering, you could easily hit the door with the windshield before the door stops and starts reversing from your front tire triggers the optical sensor. And don't just say, well move the sensor up higher, because if you did that your door wouldn't detect if someone fell and was knocked out across the threshold of the garage door (or toddler, or

      • Re:

        Don't need a truck for that. Even at bumper height on my car a person could lay under the beam. The door is already pretty good at reversing if it hits something anyway (this force is adjustable). I've let it come down on my foot. It does not hurt. Would probably scratch paint on the car though, so I have the sensors set to protect the car.

        Might be possible to add a second set of sensors if this was a big worry to you. Have never checked.

      • Re:

        30 years ago I was closing the garage door at my parents house and the cat ran in at the last moment and got squished by the closing door, the door instantly stopped and reversed. cat unharmed (she hissed at it and came to me for pettin's)

        its standard basic shit for a garage door opener even before optical sensors, hell my new one I can bump with my hand and it reverses

  • Re:

    The safety sensors are suppose to detect that situation and immediately stop, so you should get that fixed. Also, tell your wife to SEE if the door is actually closed/open before randomly pressing the button.

  • Re:

    The reason Tesla is supporting MyQ is because they stopped installing HomeLink by default. HomeLink is the standard for regular garage door openers that lets you program any compatible remote to work with your opener. Many cars have built-in Homelink openers, always with three buttons to control three different doors. Why three? Because Homelink doesn't license the technical details, they sell a chip that implements it. With MyQ, they let you integrate it at the software layer, so no extra hardware is


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK