Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.

Nuki offers smart lock products – Nuki Smart Lock and Nuki Bridge – that allow users to unlock their doors with their smartphones by simply walking in range.

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.

Nuki offers smart lock products – Nuki Smart Lock and Nuki Bridge – that allow users to unlock their doors with their smartphones by simply walking in range.

The vulnerabilities identified by NCC Group in the latest versions of the products could allow attackers to intercept a Nuki product’s network traffic, to execute arbitrary code on the device, to send commands with elevated privileges, or cause a denial-of-service (DoS) condition. The vendor has released patches.Nuki smart lock vulnerabilities

“Some of the vulnerabilities result in a fully compromised device, including capabilities to open and close the door without the owner noticing,” NCC researchers Guillermo del Valle Gil and Daniel Romero told SecurityWeek.

“This could be achieved either from the same WiFi network as the lock device, or from Nuki servers themselves. Some of the other attacks require physical access to at least one device, which may be possible, since some of them are installed outside the protected area,” the researchers also said.

Both Nuki Smart Lock and Nuki Bridge were found to lack SSL/TLS certificate validation, allowing an attacker to perform a man-in-the-middle attack and intercept network traffic. The bug is tracked as CVE-2022-32509.

“It was possible to set up an intercepting proxy to capture, analyze and modify communications between the affected device and the supporting web services,” NCC Group explains in a technical advisory.

The security researchers also identified two buffer overflow bugs (CVE-2022-32504 and CVE-2022-32502) that could be exploited to achieve arbitrary code execution on the vulnerable devices.

Impacting the code responsible for parsing JSON objects received from the SSE WebSocket, the first buffer overflow could be combined with the lack of SSL/TLS certificate validation to intercept and tamper with the WebSocket packets to take control of the device.

Advertisement. Scroll to continue reading.

“Additionally, if a malicious user could get access to the Nuki’s SSE servers this could be used to take control of all the affected devices,” NCC warns.

Discovered in the HTTP API parameter parsing code, the second buffer overflow could be exploited from within the LAN, even if the attacker did not have a valid token, as long as the HTTP API was enabled.

NCC Group also discovered that Nuki’s implementation of the Bluetooth Low Energy (BLE) API lacked proper access controls (CVE-2022-32507), allowing an attacker to send high-privileged commands they should not have permissions to send.

Because BLE commands could be sent from unprivileged accounts, such as the keypad, an attacker could open the keyturner without knowing the keypad code, and could even try to change the keyturner admin security PIN, the researchers say.

To open the keyturner, an attacker would take advantage of the fact that the impacted devices also expose JTAG hardware interfaces. Tracked as CVE-2022-32503, the flaw allows an attacker to tamper with internal and external flash memory.

“An attacker with physical access to any of these ports may be able to connect to the device and bypass both hardware and software security protections. JTAG debug may be usable to circumvent software security mechanisms, as well as to obtain the full firmware stored in the device unencrypted,” NCC says.

The company also discovered SWD hardware interfaces exposed on both Nuki Smart Lock and Nuki Bridge devices, that an unencrypted channel was used for administrative communication – allowing devices on the local network to passively collect network traffic – and that crafted HTTP and BLE packets could be used to cause DoS conditions.

“There were also some denial of service vulnerabilities found which were not fully developed, affecting both the HTTP and Bluetooth APIs. These may end up developing into something bigger, however, these were not the focus of this research,” NCC’s researchers told SecurityWeek.

Nuki was informed of these vulnerabilities in April and issued patches for them in July. Users were automatically informed about the availability of patches through the Nuki smartphone application.

Related: Cybercriminals, State-Sponsored Threat Actors Exploiting Confluence Server Vulnerability

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Related: FTC Settles With Canadian Smart Lock Maker Over Security Practices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.