Security and data protection have been core values at Nuki from the very beginning
Nuki NewsEvery year in October, the European Union Agency for Cybersecurity (ENISA) puts the spotlight on this topic. But how does Nuki address the issues of security and data protection? What approaches and concepts are used? And how transparently are potential security vulnerabilities dealt with? Co-Founder and Chief Innovation Officer Jürgen Pansy provides answers to the current ten most important questions on the matter.
1. The aim of European Cybersecurity Month (ECSM) is to draw attention to risks and dangers on the Internet and to increase EU citizens’ knowledge of IT security topics. What role does Nuki see itself playing in this regard?
We want to actively contribute as a company to increasing user trust in the security of Smart Locks. That’s why we approach this area with various strategies and concepts. Our goal is to ensure that smart door locks remain secure, even in an increasingly connected world. Since the development of our first prototype, security and data protection have been core values for us. Protecting our customers’ data is of utmost importance to us. The way we see it is that the safest data are the data that are never handed over. For this reason, our Smart Locks have been designed since the first generation so that no mandatory user account is required – data are not stored on our servers. When it comes to security, we rely on end-to-end encryption.
2. At first glance, the term end-to-end encryption may sound infinitely complex. So, what does it mean in simple terms?
In end-to-end encryption, a secret key is used that is known only to the sender and the receiver. Together with strong encryption algorithms, similar to those used in online banking, and the so-called challenge-response mechanism, it ensures that intercepting or copying and replaying locking commands to the Smart Lock is impossible. The challenge-response mechanism ensures that no two packages are ever the same, even if the same content is sent. In our system, every combination of Smart Lock and user – for example, the app, Keypad or our Bluetooth remote control Fob – has its own set of secret keys. Encrypted commands are transmitted via Bluetooth to the Smart Lock, even when using the Keypad or Fob. Even when accessed remotely, only the
respective devices know the secret key.
3. And for those who would like more technical details on end-to-end encryption: Which protocols, methods and software does Nuki use?
We rely on a combination of secure key generation and a challenge-response mechanism using random numbers. When pairing the devices, a shared key is generated. A so-called Diffie-Hellman key exchange takes place. This enables the creation of a key without having to transmit it. This shared key forms the basis for the encryption. The open-source library NaCl (Networking and Cryptography Library) is used for encryption. As part of the challenge-response mechanism, an additional individual random number is used for each command, which can only be used once. If an incorrect or previously used random number is transmitted, a command will be rejected. This prevents a command from being intercepted and replayed at a later time.
4. Unlike other Smart Lock providers, no user account is required with Nuki. An exception to this is the optional Nuki Web service. How are user data handled in this case?
All Nuki products – except for the Nuki Box – can be used without an user account. This applies both to local use via Bluetooth and remote access. In both cases, personal and security-relevant data are only stored locally on the respective devices and not on Nuki servers. The only exception is Nuki Web, a cloud service where data is temporarily stored on our servers. Activating Nuki Web is optional and, in some cases, very practical: Nuki devices can be managed easily from a PC or laptop. A Nuki Web account is also required for integration with some cloud-based smart home systems (Google Home, Amazon Alexa). But even here, we can say that we are committed to high-security standards.
At Nuki, hosting is exclusively carried out in Europe, which also contributes to the trustworthiness of our Smart Locks. Due to the data being stored within the European Union, hosting is subject to strict data protection regulations, ensuring a high level of protection for user data.
5. Nuki Smart Locks are mounted on the inside of an existing door – so from the outside, it’s not apparent that an electronic door lock is being used. However, the Keypad is mounted on the outside. Can codes be compromised in the event of theft?
The access codes for the Keypad are stored exclusively in the electronic door lock, which is mounted on the inside of the door. If someone steals the Keypad, they do not have access to the codes used. Even if someone attempted to open the Keypad and read the internal memory, this is not possible. The data are protected against tampering. For additional peace of mind, the Smart Lock’s logging feature provides transparency, as it allows users to track every action of the Smart Lock, as well as the Smart Door and the Opener. The activity log records the time, user and function used. Additionally, you can opt to receive push notifications whenever someone locks or unlocks a Nuki device.
6. Cybersecurity risks and threats are subject to rapid change. How is Nuki responding to this?
A significant advantage of our Smart Locks is the ability to perform security updates via an online connection. This means users automatically receive updates, ensuring the security features are always up to date with the latest technology. Security vulnerabilities can be patched, and new threats can be reliably countered. Should the Nuki Smart Lock – either intentionally or unintentionally – go offline, the accompanying smartphone app allows manual installation of the latest updates. The app regularly checks for available updates and proactively informs users about them. With regular updates and the use of apps for security updates, Nuki Smart Locks are a modern and secure solution for door security. Electronic door locks are continuously adapted to new security requirements, offering reliable protection.
7. What else can I, as a customer, do to ensure that my Smart Lock is as secure as possible?
One key aspect of Smart Lock security is also the security of the associated smartphone apps, which are offered in various app stores (e.g., Apple App Store, Google Play Store, Huawei AppGallery). These stores have their own security mechanisms to ensure that only trustworthy and secure apps are published. Despite these security measures, it is important that users download their Smart Lock apps only from trusted sources. Downloading apps from unsecured or unknown sources can pose significant risks. Such sources could potentially contain malicious software designed to exploit security vulnerabilities or steal personal data.
8. A company imposing high standards on itself with regards to security and data protection is one thing. It’s another to have these standards reviewed by independent, external bodies. What is Nuki’s approach to this?
Since the first generation, we have had each of our Smart Locks certified as a “Secure IOT Product” by the independent AV-TEST Institute. We are proud of having regularly received these certifications for many years, consistently proving our high security standards – most recently for our fourth-generation Smart Lock. Additionally, we are delighted that just this summer, we also achieved a particularly prestigious certification for the “Ultion Nuki”, a joint product with our British partner Brisant Secure that was specifically designed for the UK market. The “BSI Kitemark for the Internet of Things” certifies that this Smart Lock meets the highest standards of both physical and digital security.
9. How transparent is Nuki regarding potential security vulnerabilities?
As one of the few Smart Lock manufacturers, we have made a significant portion of our APIs public. This allows developers to review the security architecture of our electronic door lock and eliminate vulnerabilities. This transparency ensures that the technologies we use meet current security standards and protect against potential attacks. Responsible disclosure and so-called bug bounty programs are also key elements of our security strategy. Security researchers have the opportunity to report vulnerabilities directly to Nuki before they are made public. This enables us to take swift action and close any gaps in security. Through a bug bounty program, there are also financial incentives to find and report vulnerabilities. All of these transparency-focused steps make a significant contribution to the continuous improvement of our security measures.
10. What do the EU Cyber Security Act (CSA) and Cyber Resilience Act (CRA) mean for IoT devices and Nuki?
The CSA and CRA mark milestones for the security of IoT devices. The regulations were adopted by the European Union Parliament in 2023 and 2024, respectively. The Cyber Security Act will take effect on August 1, 2025, and the Cyber Resilience Act in 2027. Both legislative acts are intended to ensure that IoT devices in the EU become more secure and that trust in this technology is strengthened. Today, Nuki already meets all essential criteria of the CSA and CRA.
