Already for the third time in our test laboratory for certification: The combination of Smart Lock 2.0 and Bridge from the Austrian manufacturer Nuki. In the past two years, the solution has convinced with a well thought-out and adequately implemented security concept and exemplary practice in the area of data protection and privacy.
This year, our testers again found an unchanged solid implementation, which repeatedly left little room for serious criticism and thus for the third time deservedly received our certificate “Approved Smart Home Product”.
Mobile applications
Again this year, the mobile applications, in their most current version at the time of testing, (Android io.nuki v2.6.5, iOS io.nuki.ios v2.6.2) were thoroughly scanned both statically and dynamically for potential vulnerabilities. As before, there are only marginal comments from us and the apps convinced again in the extensive security test. The applications are still well protected against potential reverse engineering, do not afford any serious mistakes in the implementation of security-relevant functions in authentication and communication, and are also designed in such a way that the user’s privacy is respected during use. While we have been able to identify two integrated Google Tracker modules, these are only used if a malfunction requires analysis for the purpose of service improvement. Accordingly, we do not rate their presence as negative.
The applications potentially claim quite a number of permissions on the user device, but according to our understanding they are all explainable with a need for one or the other functionality.
Apart from that, our analysis only revealed some theoretical weaknesses in the implementation of the Android and iOS applications. However, these are only hypothetical in all cases and were only reported by us to the manufacturer Nuki for completeness. In our estimation, they do not pose a real danger.
All in all, as usual, an absolutely solid performance in this test area.
Local and online communication
The local communication between Smart Lock and Smartphone or application in case of the Nuki Smart Lock 2.0 (current firmware version 2.6.4) is still done via Bluetooth in version 5. The payload of this communication is also still well encrypted and effectively protected against standard attacks. The Bluetooth technology itself is, like any radio communication, basically vulnerable to certain denial attacks with e.g. jammers which can create certain theoretical attack scenarios. Apart from that, however, we have not been able to identify any critical and/or obvious weaknesses in this area.
In the actual communication over the Internet between the application and the bridge, no vulnerability can be found either – all connections are adequately encrypted according to current standards and are also effectively secured against the usual standard attacks, such as man-in-the-middle attacks.
We also scanned the bridge (at the time of testing in firmware version 2.5.1) for potential vulnerabilities in configuration and implementation, but as usual the solution was absolutely solid. Only some system information, e.g. the manufacturer of the Ethernet card, could be determined by us in this way – nothing that a real attacker alone could take advantage of.
Data protection
The privacy policy is currently still in the state as of May 2018 and has therefore already been checked and certified by us twice in this version. Consequentely, we have not identified any points of criticism on this point in our third audit: The data protection statement contains all the essential information that the user needs to be adequately informed about data collection, storage and processing.
All in all, the Nuki Combo 2.0 is still one of the most data-efficient solutions we have had for testing in the lab so far and is therefore still considered exemplary by us.
Verdict
Also in the third attempt the Nuki Combo 2.0 passes our certification procedure without any serious criticism and still convinces with a solid security concept and exemplary data protection and privacy.
Thus the combination of Nuki Smart Lock 2.0 and the corresponding Nuki Bridge will receive the certificate “Certified Smart Home Product” from us for 2020 as well.
Previous article 
Hello !
Nuki Smart Lock 2.0 it the best lock. Only issue is with Echo Dot. Amazon Nuki Skill for USA and UK does not work. If you take an action like open or close, no matter … (voice or tap) it do the command then second time Web from Nuki is denied and you must disable/enable skill log in to Nuki Web It take some time to come again to lock, this is frustating.