With hardly any smart home product is the desire for verified security more tangible than with a door lock. With NUKI Combo, the first Smart Lock system ever received the AV-TEST certificate “Secure Smart Home Product”.
After our comparison test of Smart Locks, the management of the Austrian manufacturer NUKI asked us to do a certificate test for their product Nuki Combo – consisting of the Nuki Smart Lock (FW version 1.5.3) and the Nuki Bridge together with the Nuki App (version 1.9.1). In addition, the associated Alexa skill for Amazon Echo was also tested.
Secure local communication
Nuki Smart Lock can be accessed directly with Bluetooth LE via app. Access is encrypted end-to-end and protected against replay attacks. The app can be linked either by invitation code or by pressing the button on the Smart Lock for five seconds. The use via the invitation code is sufficiently secure because an administration PIN has to be defined and entered for the connection. To protect yourself even more, the pairing method via button can be deactivated in the app.
Secure online communication
The Nuki Bridge extension allows remote access to the Nuki Smart Lock via the app and the web portal. Here, a connection to the Smart Lock is established via the manufacturer’s server and the Nuki Bridge. For online communication, an end-to-end encryption is used working with identical encryption keys, as for local access, so only the sender and recipient have access to data sent.
Connections between app and server are TLS 1.2 encrypted, the connections between server and bridge via TLS 1.1. Both connections are armed against man-in-the-middle attacks, because in addition to the TLS-based encryption, certificate pinning is used, meaning that communication is aborted directly if unknown certificates occur.
Good app security
Our analysis of the NUKI app did not provide any indication of obvious or critical vulnerabilities in the implementation of security-related features, such as pairing, authentication, and encryption.
The data stored locally on the smartphone by the app was also examined. Again, there was no evidence of unprotected or vulnerable storage of sensitive data that could potentially be exploited by an attacker for purposes of manipulation, control or authentication.
Further information that could support reverse engineering, such as excessive debug output in the Android Logcat or creating too detailed logs, could not be found either.
Firmware updates are also downloaded over encrypted connections, so attacking them is no child’s play.
Amazon Alexa Skill checked
When the Nuki Smart Lock is addressed through the Alexa skill, the communication is encrypted identically as in web access with the NUKI app. To open the lock a PIN is necessary. It should be noted that access through the skill does not show up in the configured Smart Lock users because Web access is used.
The deletion of the Nuki Web account is possible directly in Nuki Web, furthermore, here also individual Smart Locks can be removed from the account.
The permissions of the Android app are limited to a pleasingly minimal extent:
The locking system from Nuki Home Solutions GmbH passes the examination against the current test catalog of AV-Test GmbH and meets the security requirements of the AV-TEST certification program. For this, the product NUKI Combo is awarded with the AV-TEST seal “Tested Smart Home Product”.
Maik Morgenstern, CTO of the AV-TEST Institute says: “NUKI proves that well thought-out security does not have to limit the ease of use of a smart home product. This shows that security played a decisive role in product development right from the start. That’s exemplary. ”