Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.
Nuki offers smart lock products – Nuki Smart Lock and Nuki Bridge – that allow users to unlock their doors with their smartphones by simply walking in range.
The vulnerabilities identified by NCC Group in the latest versions of the products could allow attackers to intercept a Nuki product’s network traffic, to execute arbitrary code on the device, to send commands with elevated privileges, or cause a denial-of-service (DoS) condition. The vendor has released patches.
“Some of the vulnerabilities result in a fully compromised device, including capabilities to open and close the door without the owner noticing,” NCC researchers Guillermo del Valle Gil and Daniel Romero told SecurityWeek.
“This could be achieved either from the same WiFi network as the lock device, or from Nuki servers themselves. Some of the other attacks require physical access to at least one device, which may be possible, since some of them are installed outside the protected area,” the researchers also said.
Both Nuki Smart Lock and Nuki Bridge were found to lack SSL/TLS certificate validation, allowing an attacker to perform a man-in-the-middle attack and intercept network traffic. The bug is tracked as CVE-2022-32509.
“It was possible to set up an intercepting proxy to capture, analyze and modify communications between the affected device and the supporting web services,” NCC Group explains in a technical advisory.
The security researchers also identified two buffer overflow bugs (CVE-2022-32504 and CVE-2022-32502) that could be exploited to achieve arbitrary code execution on the vulnerable devices.
Impacting the code responsible for parsing JSON objects received from the SSE WebSocket, the first buffer overflow could be combined with the lack of SSL/TLS certificate validation to intercept and tamper with the WebSocket packets to take control of the device.
“Additionally, if a malicious user could get access to the Nuki’s SSE servers this could be used to take control of all the affected devices,” NCC warns.
Discovered in the HTTP API parameter parsing code, the second buffer overflow could be exploited from within the LAN, even if the attacker did not have a valid token, as long as the HTTP API was enabled.
NCC Group also discovered that Nuki’s implementation of the Bluetooth Low Energy (BLE) API lacked proper access controls (CVE-2022-32507), allowing an attacker to send high-privileged commands they should not have permissions to send.
Because BLE commands could be sent from unprivileged accounts, such as the keypad, an attacker could open the keyturner without knowing the keypad code, and could even try to change the keyturner admin security PIN, the researchers say.
To open the keyturner, an attacker would take advantage of the fact that the impacted devices also expose JTAG hardware interfaces. Tracked as CVE-2022-32503, the flaw allows an attacker to tamper with internal and external flash memory.
“An attacker with physical access to any of these ports may be able to connect to the device and bypass both hardware and software security protections. JTAG debug may be usable to circumvent software security mechanisms, as well as to obtain the full firmware stored in the device unencrypted,” NCC says.
The company also discovered SWD hardware interfaces exposed on both Nuki Smart Lock and Nuki Bridge devices, that an unencrypted channel was used for administrative communication – allowing devices on the local network to passively collect network traffic – and that crafted HTTP and BLE packets could be used to cause DoS conditions.
“There were also some denial of service vulnerabilities found which were not fully developed, affecting both the HTTP and Bluetooth APIs. These may end up developing into something bigger, however, these were not the focus of this research,” NCC’s researchers told SecurityWeek.
Nuki was informed of these vulnerabilities in April and issued patches for them in July. Users were automatically informed about the availability of patches through the Nuki smartphone application.