There are 11 security flaws affecting Nuki smart lock systems, including ones that could let intruders unlock doors, according to security researchers with NCC Group. With Nuki Smart Lock and Nuki Bridge, users may unlock their doors with their cellphones by merely approaching the device’s range.
A Nuki product’s network traffic could be intercepted, arbitrary code could be executed on the device, commands could be sent with elevated privileges, or a denial-of-service (DoS) condition could be triggered by the vulnerabilities discovered by NCC Group in the most recent versions of the products.
The vendor has made fixes available. Both Nuki Smart Lock and Nuki Bridge were discovered to lack SSL/TLS certificate validation, allowing a hacker to intercept network traffic and conduct a man-in-the-middle attack. The flaw is catalogued as CVE-2022-32509.