Tag Archive for: Ignores

Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors


Texas-based smart home product provider Nexx appears to have ignored repeated attempts to report serious vulnerabilities that can be exploited by hackers to remotely open garage doors, and take control of alarms and smart plugs. 

Nexx offers smart alarms, garage door controllers, and smart plugs, all of which can be controlled remotely from a dedicated mobile application. 

Researcher Sam Sabetan discovered that these products are affected by serious vulnerabilities in late 2022 and disclosed their details on Tuesday. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory to warn individuals and organizations using Nexx products about the flaws identified by the researcher. The agency said the impacted products are used by commercial facilities worldwide.

Sabetan and CISA said their attempts to report the vulnerabilities to Nexx were ignored. SecurityWeek has also reached out to Nexx for comment.

The researcher has discovered five types of vulnerabilities, most of which have been assigned ‘high’ or ‘critical’ severity ratings. The list of issues includes the use of hardcoded credentials, authorization bypass flaws that can be leveraged to execute unauthorized actions, information disclosure issues, and improper authentication.

In a real world attack scenario, an attacker can exploit these vulnerabilities to open or close garage doors remotely over the internet, hijack any alarm system, and turn on/off smart plugs connected to household appliances. 

In order to conduct an attack, the hacker only needs the targeted user’s device ID, email address, name, or MAC address, depending on the type of device they are targeting.  

A video demo made by the researcher shows how a hacker can obtain the information of hundreds of users.

“It is estimated that over 40,000 devices, located in both residential and commercial properties, are impacted. Furthermore, I determined that more than 20,000 individuals have active Nexx accounts,” Sabetan explained. 

Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors

Related: Vulnerabilities in HID Mercury Access…

Source…

The Day – Hackers find easy prey as U.S. ignores one warning after another



The ransomware attack that shut down the nation’s biggest fuel pipeline prompted an all-too familiar question in the corridors of power in Washington and boardrooms across the country: Can anyone stop debilitating hacks?

The recent assault on Colonial Pipeline Co. was a particular affront. Not only did it disrupt fuel distribution on the East Coast, it followed an effort by the Biden administration to act against cyber crime — especially ransomware, where criminals remotely disable a computer system and demand payment. Colonial was hit on day 37 of a 60-day push by the Department of Homeland Security to confront such attacks.

The administration’s campaign is the latest in a long series of cyber strategies offered by presidents and lawmakers from both parties to curb hackers. For years, security experts have offered concrete recommendations for governments, companies and other organizations to follow to ward off cyber-attacks, but they’re often ignored, or punted in favor of more pressing concerns.

“There has to be a different way of approaching this if we are going to stop this plague,” said Philip Reiner, chief executive officer of the Institute for Security and Technology. Reiner’s group recently offered 48 actions the Biden administration and the private sector could pursue against ransomware.

While President Joe Biden recently imposed sanctions on Russia over the hack of SolarWinds Corp., the threat of retaliation or prosecution from the U.S. holds little deterrence — at least so far. Many criminal hackers reside in countries that ignore them or tacitly approve of their behavior. Actions to punish state-sponsored hacking groups — including sanctions and indictments — have previously done little to counter the assaults.

The list of recent cyber-attack targets reflects both the sophistication and brazenness of the hackers. In government, the victims include the Department of Homeland Security, the Illinois Attorney General’s Office, even the Washington, D.C., police department. In the private sector, hackers infiltrated big tech companies like Microsoft Corp., the cyber-security firm FireEye Inc., San Diego-based Scripps Health and even the Houston Rockets of the…

Source…

The election security hole everyone ignores

Increasing numbers of polling places use electronic devices to check in voters and verify their eligibility. But the devices often create chaos and introduce new vulnerabilities to elections.
internet security – read more

US Courts Rep Ignores Everything About The Internet, Says PACER Access Can Never Be Free Because It Costs Money To Operate

Open access to court documents is something we still don’t have, thanks to PACER. The creation of PACER was supposed to increase public access, but the government erected a paywall between the public and the documents. To make things worse, the PACER’s front end is an antiquated nightmare. The system isn’t consolidated, so people seeking documents need to know exactly where it was filed before they can even start paying $ 0.10/page for unhelpful search results.

No one who uses PACER likes it. But it’s the government’s monopoly, so everyone who uses PACER has to use PACER because there is no alternative. The US Court system rakes in $ 150-200 million a year in fees, but hardly any of that money is being put towards fixing a system that only barely works and does so in the most begrudging way possible. Lawsuits have been filed and legislation proposed that would give the public free access to court documents, but so far, nothing has changed. PACER is still expensive. And it still sucks.

The sad state of PACER was discussed during a recent Congressional hearing. And it was defended in the worst way possible by the Judicial Conference’s speaker.

Judge Audrey Fleissig of the U.S. District court for the Eastern District of Missouri also said in testimony for the House Judiciary Committee’s Subcommittee on Courts, IP, and the internet that shifting costs away from users without another funding plan would burden courts with new costs.

“Our case management and public access systems can never be free because they require over $ 100 million per year just to operate,” Fleissig said. “That money must come from somewhere.”

Everything about Fleissig’s statement is ridiculous.

First and foremost, just because something costs money to operate doesn’t mean it can’t be free. To use a government example, interstate highways are free to use, yet they cost billions to construct and maintain. ($ 96 billion in 2014 alone.) The money does come from “somewhere,” as Fleissig correctly notes. It’s called taxes. The thing about PACER is its funded by both tax dollars and fees. The documents people pay to access are created with tax dollars that pay judges, clerks, and every other government employee involved in creating, processing, and posting documents citizens are then expected to pay $ 0.10/page to download.

Stepping outside the government, there are countless examples of free services that cost money to run, like Google’s search engine… or the numerous browser options people use to run Google searches. Every search engine (and I’m including Bing here) runs better than PACER’s internal search engine. And none of those charge users $ 0.10/page for search results. And then there’s email, cloud storage, social media platforms, web-based apps, job-hunting services, classified ad sites, blogging platforms, mobile games, YouTube… a whole internet full of free services that cost money to create and support — all at no cost to the user.

But that’s only part of the ridiculousness. Insisting that it takes $ 100 million to run PACER is bogus. The US Courts system may spend $ 100 million doing it but that doesn’t mean it couldn’t be done more efficiently for less money. A bureaucracy claiming it spends every cent of its budget doing something shouldn’t be taken as evidence said thing actually requires that much funding to accomplish. Government budgets are things to be spent, not areas of concern where less-costly options might be explored. The process does not lend itself to efficiency since the only thing that accomplishes is less money being appropriated in the next fiscal year.

While there are the salaries of support staff to consider, the bulk of the claimed expense is processing and hosting of PDFs and digital court dockets. The internet is built for this kind of thing and there are any number of options that would reduce costs and increase user-friendliness… all while giving away PDFs and docket listings for free. The system doesn’t necessarily need to be privatized, but perhaps it should be outsourced to vendors that specialize in all the problems PACER has failed to solve for nearly two decades.

And here’s another partial solution — one inadvertently stumbled upon by the US Courts itself:

Approximately “87 percent of all PACER revenue is attributable to just 2 percent of users—large financial institutions and major commercial enterprises that aggregate massive amounts of data for analysis and resale,” the Administrative Office of the U.S. Courts said.

Well, if that’s the case, the largest users can subsidize everyone else. Set a monthly cap of 5,000 pages and let those who need more pay for unlimited access. It seems like the top 5% of users could easily guarantee free access for everyone. And if anyone else wants “value-added” access to the court document system (maybe with some sort of fire hose feed), they can pay for it. Those that just want to find relevant case documents can still muddle their way through PACER’s broken system to find them, all without having to pay the government for documents they still haven’t managed to find yet.

Permalink | Comments | Email This Story

Techdirt.