Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.

Nuki offers smart lock products – Nuki Smart Lock and Nuki Bridge – that allow users to unlock their doors with their smartphones by simply walking in range.

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.

Nuki offers smart lock products – Nuki Smart Lock and Nuki Bridge – that allow users to unlock their doors with their smartphones by simply walking in range.

The vulnerabilities identified by NCC Group in the latest versions of the products could allow attackers to intercept a Nuki product’s network traffic, to execute arbitrary code on the device, to send commands with elevated privileges, or cause a denial-of-service (DoS) condition. The vendor has released patches.Nuki smart lock vulnerabilities

“Some of the vulnerabilities result in a fully compromised device, including capabilities to open and close the door without the owner noticing,” NCC researchers Guillermo del Valle Gil and Daniel Romero told SecurityWeek.

“This could be achieved either from the same WiFi network as the lock device, or from Nuki servers themselves. Some of the other attacks require physical access to at least one device, which may be possible, since some of them are installed outside the protected area,” the researchers also said.

Both Nuki Smart Lock and Nuki Bridge were found to lack SSL/TLS certificate validation, allowing an attacker to perform a man-in-the-middle attack and intercept network traffic. The bug is tracked as CVE-2022-32509.

“It was possible to set up an intercepting proxy to capture, analyze and modify communications between the affected device and the supporting web services,” NCC Group explains in a technical advisory.

The security researchers also identified two buffer overflow bugs (CVE-2022-32504 and CVE-2022-32502) that could be exploited to achieve arbitrary code execution on the vulnerable devices.

Impacting the code responsible for parsing JSON objects received from the SSE WebSocket, the first buffer overflow could be combined with the lack of SSL/TLS certificate validation to intercept and tamper with the WebSocket packets to take control of the device.

“Additionally, if a malicious user could get access to the Nuki’s SSE servers this could be used to take control of all the affected devices,” NCC warns.

Discovered in the HTTP API parameter parsing code, the second buffer overflow could be exploited from within the LAN, even if the attacker did not have a valid token, as long as the HTTP API was enabled.

NCC Group also discovered that Nuki’s implementation of the Bluetooth Low Energy (BLE) API lacked proper access controls (CVE-2022-32507), allowing an attacker to send high-privileged commands they should not have permissions to send.

Because BLE commands could be sent from unprivileged accounts, such as the keypad, an attacker could open the keyturner without knowing the keypad code, and could even try to change the keyturner admin security PIN, the researchers say.

To open the keyturner, an attacker would take advantage of the fact that the impacted devices also expose JTAG hardware interfaces. Tracked as CVE-2022-32503, the flaw allows an attacker to tamper with internal and external flash memory.

“An attacker with physical access to any of these ports may be able to connect to the device and bypass both hardware and software security protections. JTAG debug may be usable to circumvent software security mechanisms, as well as to obtain the full firmware stored in the device unencrypted,” NCC says.

The company also discovered SWD hardware interfaces exposed on both Nuki Smart Lock and Nuki Bridge devices, that an unencrypted channel was used for administrative communication – allowing devices on the local network to passively collect network traffic – and that crafted HTTP and BLE packets could be used to cause DoS conditions.

“There were also some denial of service vulnerabilities found which were not fully developed, affecting both the HTTP and Bluetooth APIs. These may end up developing into something bigger, however, these were not the focus of this research,” NCC’s researchers told SecurityWeek.

Nuki was informed of these vulnerabilities in April and issued patches for them in July. Users were automatically informed about the availability of patches through the Nuki smartphone application.

Related: Cybercriminals, State-Sponsored Threat Actors Exploiting Confluence Server Vulnerability

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Related: FTC Settles With Canadian Smart Lock Maker Over Security Practices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...