Researchers found numerous security flaws in various Nuki Smart locks. Exploiting the vulnerabilities could affect the smart locks’ confidentiality, integrity, and availability.
Nuki Smart Locks Flaws
According to an advisory from the NCC Group, their researchers found eleven different security flaws in Nuki Smart Lock and Bridge products.
Nuki Smart Locks offer keyless security mechanisms that recognize the users’ mobile device for unlocking. The lock opens upon detecting a known mobile device approaching near, hence ditching the need for manual commands. In addition, the locks also empower the users to monitor lock status via their smartphones, manage access permissions as needed, and more.
These explicit functionalities are not only useful, but can be dangerous if exploited negatively. That’s what the NCC Group suggests in its latest discovery.
List Of Vulnerabilities:
Specifically, the researchers found the following eleven bugs riddling with the locks’ confidentiality, integrity, and availability.
- CVE-2022-32509 (CVSS 8.5): The lack of SSL/TLS validation for the network traffic risked MiTM attacks.
- CVE-2022-32504 (CVSS 8.8): stack overflow vulnerability in the code parsing JSON objects received from the SSE WebSocket could allow arbitrary code execution attacks.
- CVE-2022-32502 (CVSS 8.0): a stack buffer overflow affecting the HTTP API parameter parsing logic code could allow an adversary for arbitrary code execution.
- CVE-2022-32507 (CVSS 8.0): insufficient access controls in the Bluetooth Low Energy (BLE) Nuki API allowed unprivileged users to send high privileged commands to the Smart Lock’s Keyturner.
- CVE-2022-32503 (CVSS 7.6): Exposed JTAG hardware interfaces in Nuki Fob and Nuki Keypad allowed an attacker to manage code execution on the device using the JTAG’s boundary scan. Exploiting this vulnerability could also allow the adversary to debug the firmware and modify the internal and external flash memory.
- CVE-2022-32510 (CVSS 7.1): An HTTP API in the Nuki Bridge provided the admin interface via an unencrypted channel, thus exposing the communication between the client and the API. An attacker with local access to the network could intercept the data.
- CVE-2022-32506 (CVSS 6.4): Exposed SWD hardware interfaces in the Nuki Bridge and Nuki Smart Lock could allow an attacker with physical access to the device to debug the firmware, control the execution of codes, and read or modify the contents of the flash memory.
- CVE-2022-32508 (CVSS 6.5): An unauthenticated attacker could use maliciously crafted HTTP packets to induce a denial of service state in the target Nuki Bridge device.
- CVE-2022-32505 (CVSS 6.5): An unauthenticated attacker could use maliciously crafted BLE packets to induce a DoS state on the target Nuki Smart Lock devices.
Other Low-Risk Flaws In Nuki Products
- Insecure invite key implementation (CVSS 1.9): The Invite token for the Nuki Smart Lock apps were used to encrypt and decrypt the invite keys on servers. Hence, an attacker accessing the server could also access sensitive data and impersonate users.
- Overwriting opener name without authentication (CVSS 2.1): insecure implementation of the Opener BLE characteristics could allow an unauthenticated attacker to change the BLE device name.
Patches Deployed
After discovering the bugs, the researchers informed the vendors about the matter, following which, Nuki deployed patches. The researchers have confirmed that the vendors have deployed the fixes across Nuki Smart Lock, Nuki Bridge, Nuki Smart Lock app, and other affected products with the latest updates. Hence now, all users should update their respective Nuki smart devices with the latest updates to receive the patches.