Electronic door locks are a tangible source of convenience in everyday life. One of the most important aspects of this is security. Because it’s not just about making access to your home more practical. You have to be able to trust the access system before you can feel comfortable.
In keeping with our guiding principles SMART – SIMPLE – SECURE, the security of our smart home products is a top priority. When developing our digital Nuki door locks, we used a highly complex end-to-end encryption system right from the very start – the kind also used in online banking.
Nuki has passed again external reviews by AV-TEST
Any security concept, no matter how sophisticated, is of course no substitute for testing by independent, external testing institutes. We therefore had our products checked once again by AV-TEST Germany for possible security vulnerabilities.
Just like in 2017, 2018, 2019 and 2020, the renowned research institute for IT security once again certified Nuki as a secure smart home product this year.
This year, AV-TEST inspected the Nuki Smart Lock, the Nuki Bridge, the Nuki app and the Nuki Opener.
Interview with AV-TEST – what really matters when it comes to smart home security
What is actually involved in an IT security test? What are common weak spots in IoT products? What should you pay particular attention to? And in which areas did Nuki do particularly well?
We invited Eric Clausing from AV-TEST to a short interview:
1. What are the most common security weak spots in smart home products? What do you have to pay particular attention to as a customer?
Eric Clausing: In our experience, the most common and critical problems arise in communication security. We repeatedly see unencrypted connections used in this area for transmitting sensitive data over the internet. We also see unsafe authentication mechanisms or even the lack of mechanisms altogether just as frequently.
As a customer, it is difficult to determine without additional technical aids whether encryption has been implemented, and how well. As far as secure authentication is concerned, the customer should make sure that the product offers the possibility to secure access to devices and accounts with strong and changeable passwords.
2. What kinds of external attacks are there, and how can you protect yourself against them? What challenges do manufacturers have to face in the field of IoT?
Eric Clausing: Attacks on the availability of IoT systems (jamming) represent, among other things, the greatest danger to customers – e.g. if an alarm system no longer works or a smart lock is no longer accessible. In practice, there is not much that the manufacturer can do to counter such attacks, since radio can always be disrupted, or devices can be deliberately destroyed. A good system should at least be able to reliably detect a component failure and report it to the customer so that they can react.
Apart from that, attacks on the authentication and access mechanisms of an IoT device are the most dangerous. In the worst case, they can also be carried out remotely and lead to third parties gaining access to the IoT product itself and the linked accounts. This is where the greatest potential for damage and the most immediate threat lies. The manufacturers should therefore focus on securing their devices.
3. What tests does a product have to undergo in order to obtain certification?
Eric Clausing: Products that are submitted to the certification test must undergo a comprehensive test. This is divided into three large sub-areas and over 100 individual test points.
The main points include
- the analysis of communication, both online via the internet and locally via Bluetooth, for example,
- the analysis of the associated mobile applications for Android and iOS, and
- the analysis of data protection.
All areas are checked statically, i.e. through extensive scans and code reviews, as well as dynamically, i.e. during operation, for possible weak spots and potential entry points. A practically exploitable weak spot or a critical failure in one of the three main areas inevitably leads to the failure of the entire certification process.
4. Which aspects does Nuki perform particularly well in and why?
5. What trends are there in the field of IoT, and what will AV-TEST pay particular attention to in future test procedures?
Eric Clausing: Over the past few years, we have observed that the issue of data protection and privacy has become increasingly important among buyers. With that in mind, we are also adapting our tests in this direction so that we can also offer more extensive and detailed testing and evaluation in this area in the future. Of course, security will still remain our main focus.
You can find the detailed test report on the website of AV-TEST
Do you have any further questions about IT security in general and the security of smart home devices or smart locks in particular? We have collected the most frequently asked customer questions and addressed them clearly and in detail for you in the following article.