Already for the third time in our test laboratory for certification: The combination of Smart Lock 2.0 and Bridge from the Austrian manufacturer Nuki. In the past two years, the solution has convinced with a well thought-out and adequately implemented security concept and exemplary practice in the area of data protection and privacy.
This year, our testers again found an unchanged solid implementation, which repeatedly left little room for serious criticism and thus for the third time deservedly received our certificate “Approved Smart Home Product”.
Again this year, the mobile applications, in their most current version at the time of testing, (Android io.nuki v2.6.5, iOS io.nuki.ios v2.6.2) were thoroughly scanned both statically and dynamically for potential vulnerabilities. As before, there are only marginal comments from us and the apps convinced again in the extensive security test. The applications are still well protected against potential reverse engineering, do not afford any serious mistakes in the implementation of security-relevant functions in authentication and communication, and are also designed in such a way that the user’s privacy is respected during use. While we have been able to identify two integrated Google Tracker modules, these are only used if a malfunction requires analysis for the purpose of service improvement. Accordingly, we do not rate their presence as negative.
The applications potentially claim quite a number of permissions on the user device, but according to our understanding they are all explainable with a need for one or the other functionality.
Apart from that, our analysis only revealed some theoretical weaknesses in the implementation of the Android and iOS applications. However, these are only hypothetical in all cases and were only reported by us to the manufacturer Nuki for completeness. In our estimation, they do not pose a real danger.
All in all, as usual, an absolutely solid performance in this test area.
Local and online communication
The local communication between Smart Lock and Smartphone or application in case of the Nuki Smart Lock 2.0 (current firmware version 2.6.4) is still done via Bluetooth in version 5. The payload of this communication is also still well encrypted and effectively protected against standard attacks. The Bluetooth technology itself is, like any radio communication, basically vulnerable to certain denial attacks with e.g. jammers which can create certain theoretical attack scenarios. Apart from that, however, we have not been able to identify any critical and/or obvious weaknesses in this area.
In the actual communication over the Internet between the application and the bridge, no vulnerability can be found either – all connections are adequately encrypted according to current standards and are also effectively secured against the usual standard attacks, such as man-in-the-middle attacks.
We also scanned the bridge (at the time of testing in firmware version 2.5.1) for potential vulnerabilities in configuration and implementation, but as usual the solution was absolutely solid. Only some system information, e.g. the manufacturer of the Ethernet card, could be determined by us in this way – nothing that a real attacker alone could take advantage of.
All in all, the Nuki Combo 2.0 is still one of the most data-efficient solutions we have had for testing in the lab so far and is therefore still considered exemplary by us.
Also in the third attempt the Nuki Combo 2.0 passes our certification procedure without any serious criticism and still convinces with a solid security concept and exemplary data protection and privacy.
Thus the combination of Nuki Smart Lock 2.0 and the corresponding Nuki Bridge will receive the certificate “Certified Smart Home Product” from us for 2020 as well.