Numerous Nuki Smart locks have security weaknesses, according to researchers. The availability, confidentiality, and integrity of the smart locks could all be impacted by exploiting the flaws.
Nuki Smart Locks Flaws
The Nuki Smart Lock and Bridge devices contain eleven different security issues, according to an assessment from the NCC Group.
Keyless locking systems provided by Nuki Smart Locks can be unlocked by users’ mobile devices. The lock unlocks automatically when it detects a known mobile device getting close, negating the need for manual commands.
Additionally, the locks give users the ability to adjust access permissions as necessary, monitor lock status via their smartphones, and more.
These explicit functionalities are not only advantageous but also risky if improperly used. In its most recent discovery, the NCC Group makes this suggestion.
List of Vulnerabilities:
The researchers precisely identified the eleven issues that jeopardise the secrecy, availability, and integrity of the locks, which are given below.
CVE-2022-32509 (CVSS 8.5): The lack of SSL/TLS validation for the network traffic risked MiTM attacks.
CVE-2022-32504 (CVSS 8.8): stack overflow vulnerability in the code parsing JSON objects received from the SSE WebSocket could allow arbitrary code execution attacks.
CVE-2022-32502 (CVSS 8.0): a stack buffer overflow affecting the HTTP API parameter parsing logic code could allow an adversary for arbitrary code execution.
CVE-2022-32507 (CVSS 8.0): insufficient access controls in the Bluetooth Low Energy (BLE) Nuki API allowed unprivileged users to send high privileged commands to the Smart Lock’s Keyturner.
CVE-2022-32503 (CVSS 7.6): An attacker could manage code execution on the device by leveraging the JTAG’s boundary scan thanks to exposed JTAG hardware ports in the Nuki Fob and Nuki Keypad. The adversary might be able to debug the firmware and alter the internal and external flash memory by taking advantage of this vulnerability.
CVE-2022-32510 (CVSS 7.1): An unencrypted channel was used by an HTTP API in the Nuki Bridge to deliver the admin interface, making the conversation between the client and the API visible. The information might be intercepted by a network attacker with local access.
CVE-2022-32506 (CVSS 6.4): Due to exposed SWD hardware interfaces in the Nuki Bridge and Nuki Smart Lock, an attacker with physical access to the device may be able to debug the firmware, control the execution of programmes, and read or modify the contents of the flash memory. CVE-2022-32508 (CVSS 6.5): An unauthenticated attacker could use maliciously crafted HTTP packets to induce a denial of service state in the target Nuki Bridge device.
CVE-2022-32505 (CVSS 6.5): An unauthenticated attacker could use maliciously crafted BLE packets to induce a DoS state on the target Nuki Smart Lock devices.
Other Low-Risk Flaws In Nuki Products
Insecure invite key implementation (CVSS 1.9): The Invite token for the Nuki Smart Lock apps were used to encrypt and decrypt the invite keys on servers. Hence, an attacker accessing the server could also access sensitive data and impersonate users.
Overwriting opener name without authentication (CVSS 2.1): insecure implementation of the Opener BLE characteristics could allow an unauthenticated attacker to change the BLE device name.
The researchers notified the vendors of the issues after they were found, and Nuki then released patches. Researchers have verified that the vendors have updated all affected devices, including Nuki Smart Lock, Nuki Bridge, Nuki Smart Lock app, and others, with the newest remedies. Therefore, in order to obtain the fixes, all users should upgrade their individual Nuki smart devices with the most recent versions. Reference