The highest security standards are rightfully expected of smart home devices and especially of digital door locks – after all, it’s about granting access to your own home. That’s why we at Nuki have defined the security of our products and our software as one of our three guiding principles:
We also have our products regularly tested by independent, external testing institutes.
Nowadays, almost everyone uses a smartphone, along with many other digital devices. But the proportion of these tech enthusiasts who actually understand the underlying processes is extremely small. We have got used to using complex devices without understanding the principles that govern how they work. This creates “blind spots” for us, where our ignorance can potentially be used against us. When combined with reports on hackers and cyber crime, this creates a general sense of distrust for online activities. But where are we actually directing our mistrust as end customers? Cyber crime refers to all crimes that are committed with the help of modern information technology – in other words, “crimes that are committed against IT systems or data, such as spying on and intercepting data by gaining unlawful access to a computer system.” The same applies to smart home technologies
In summary, this means a system can be considered secure if any unauthorised access can be prevented.
The following basic principles apply to all end devices with software features, not just smartphones and computers but also smart washing machines, televisions and, of course, digital door locks such as the Nuki Smart Lock.
You can find more principles of smart home security here.
The term smart home refers to all networking technical measures within the four walls of your home that make it more convenient and (energy) efficient. A very clear example of this is smart lighting, i.e. lamps that can be controlled via an app. Several smart devices can also be networked with each other so that, for example, all lights are automatically switched off when you leave your home. With such functions as presence simulation, the security of your own home can be increased even further. If the software were not adequately protected here, the light at home could theoretically be switched on and off by strangers. Every serious provider will rely on reliable encryption technology to prevent exactly that. For example, we at Nuki have been certified by AV-TEST for the security of our hardware and software for the last 5 years in a row (more on this here).
How secure a smart home device – and in particular a smart lock – is, depends on two different aspects: the security level of the device itself (hardware) and the connection/communication between the hardware and the device used to control it (usually a smartphone).
Many suspect that a door that can be controlled digitally automatically* looks smart from the outside. But a smart lock does not require any manual operation on the device itself – instead, it works via a radio link. That’s why most well-known manufacturers of electronic door locks use an access solution that is mounted on the inside of the front door. This means nobody on the outside can see whether a smart lock is installed in your home. The Nuki Smart Lock is easy to install and uninstall (also very practical for rental apartments, as it can be removed without leaving a trace).
There is a reason the Nuki Keypad Combo is one of our long-standing bestsellers. Using a code to gain or grant access is really practical, especially for those who don’t always have their smartphone with them or for renting out holiday properties. For this to work, however, the Keypad (similar to fingerprint solutions, e.g. from ekey) must be mounted on the outside of the house or apartment door. If the Keypad is stolen, we offer you a theft replacement guarantee: Simply contact our support team to get a new Keypad. We need the following documents for this:
Numerous electronic door lock manufacturers offer retrofit solutions. This means the smart lock in question is placed on the existing door cylinder. The Nuki Smart Lock is also designed to be compatible with most common locking cylinders in Europe and easy to install. This means nothing usually needs to be changed on the lock itself during installation (more on this here). You can even continue to lock your door from the outside with your conventional key alongside the Nuki app. Since your locking cylinder remains the same, a Smart Lock does not change the fundamental security of your lock. Regardless of whether you use a Smart Lock or not, we recommend investing in a high-quality and secure locking cylinder (e.g. the Nuki Universal Cylinder).
Since your locking cylinder remains the same, a Smart Lock does not change the fundamental security of your lock. Regardless of whether you use a Smart Lock or not, we recommend investing in a high-quality and secure locking cylinder (e.g. from CISA).
A Smart Lock doesn’t make your door any less safe. What’s more, we mustn’t forget that time is of the essence in a break-in: Burglars have to get into the house within a few minutes and leave again very quickly to avoid getting caught. Cracking the Bluetooth protocol or hacking the house Wi-Fi is not the top priority – because, besides the fact that most would fail in this attempt, it is simply much quicker to pry open the door or drill open the lock cylinder.
→ Since a Nuki Smart Lock can be installed without making any modifications to your door or door cylinder, your existing insurance coverage remains unchanged.
The Nuki Smart Lock is mounted on the door from the inside, and the Nuki Bridge and Nuki Opener are also kept inside your home, so the products cannot be seen from the outside. This prevents any unauthorised people from gaining physical access from outside. So when it comes to security, it is mainly about the connection between the Smart Lock and smartphone: By accessing the Smart Lock in the Nuki app and tapping on “unlock”, this command is transferred from the smartphone to the Smart Lock and executed.
The Smart Lock continuously logs locking activity transparently and clearly in the “activity log“. You can view the activity log in the Nuki app or alternatively via Nuki Web. This is where you can view exactly who unlocked your door and when. Still unsure whether a stranger had access to your Smart Lock? If necessary, you can also send the activity log to Nuki. Nuki employees then analyse the motor movements, which are stored locally on the device. Simply contact our support team to clarify how to proceed.
A sophisticated encryption concept ensures that:
For this to work, various conditions must be met and additional security procedures carried out.
In order to ensure that the Nuki Smart Lock only reacts to commands from authorised smartphones, this connection is established through Bluetooth pairing when it is set up for the first time. To do this, the Smart Lock must first be put into pairing mode by pressing the button for about five seconds. This is the only way for the Smart Lock to recognise your smartphone as authorised. You can find the exact step-by-step instructions in the Nuki app. You can then complete the pairing of the Smart Lock with your smartphone.
This ensures that no one else can connect their smartphone to your Smart Lock without your knowledge. We recommend deactivating Bluetooth pairing after setup. This ensures that unauthorised people who, for example, have access to the Smart Lock as part of a shared co-working space cannot connect to it later. If the smartphone is lost while direct pairing is deactivated, the Smart Lock must be reset to factory settings.
This works as follows: Open the sidebar menu in the top-left corner, and under “Help” you will find the “Reset Smart Lock” button. All the necessary steps will then be explained to you in the app.
Safety factor: In order to pair the Nuki Smart Lock with your smartphone, you have to press a button directly on the Smart Lock itself. This prevents your neighbours, for example, from gaining access to your Nuki Smart Lock. Anyone can download the free Nuki app. However, you can only use the Nuki app if you actually pair the Nuki Smart Lock manually in person – or if you receive the corresponding access permission from the Smart Lock owner.
Most smart home hacks and leaks actually occur during setup. It’s worth mentioning that the products are tested in constructed scenarios under lab conditions. Scenes are played out here that rarely occur in reality. For instance, tests are conducted to see whether it is possible for an unauthorised person to access a Smart Lock if they go into pairing mode at the exact same moment the owner presses the button to pair.
As soon as a smartphone has been paired with a Nuki Smart Lock, the Nuki app acts as an individual, digital key. The Nuki Smart Lock administrator also has the option of sending invitation codes to other people, who will then have access to the Smart Lock too. If you don’t want others with access permissions to be able to issue invitation codes themselves, you can protect this function with a PIN code.
Thanks to the two-factor authentication, you can rest assured that no unauthorised person receives a digital key – in other words, this ensures their smartphone is not connected to the Smart Lock as an authorised user. But what happens if the locking command is intercepted and copied during the locking process? Generally speaking, so-called “replay attacks” of this kind are possible in theory, but not with a Nuki Smart Lock. Even if someone decrypts and saves the lock command, they cannot use it to operate the Nuki Smart Lock because Nuki uses what’s known as the challenge-response procedure. This means that each lock command is only used once. At Nuki, a one-time code (NONCE – “number used once” – principle) is also used for each command. Simply put, the communication between the app and Smart Lock looks like this:
Challenge = app says: “Attention, I want to send you a command”
Response = Smart Lock answers: “Ok, use this one-time code too” → only then does the actual lock command come into effect. If a lock command has already been used once, the Smart Lock will immediately recognise and reject it.
To prevent this and many other potential scenarios, we at Nuki rely on the tried-and-tested system of end-to-end encryption. In this article, we explain this concept in detail. It involves complex technology that, in simple terms, can be explained as follows: End-to-end encryption ensures that nobody can “listen in” apart from the sender (e.g. an authorised smartphone) and the receiver (the paired Smart Lock). This, of course, means that not even the people at Nuki can intercept the user’s individual lock commands via the Nuki app.
Put simply, this happens when both parties agree on common, secret code words with which the commands are encrypted. These code words are set at random and their meaning is known only to the sender and the recipient. The concept of encryption and decryption can be easily explained (albeit in a very simplified form) using colours.
NaCl (Networking and Cryptography library, or “Salt” for short) is an open standard that can be checked by security experts all over the world. This standard not only offers the same level of security as online banking, but also enables independent verification by anyone, anytime, anywhere.
The idea that you can only unlock your door via an app when you install a smart lock leaves a lot of people feeling sceptical. What happens if my smartphone is stolen? How can I open the door if my battery dies? What if my children don’t have smartphones of their own yet? If a smartphone is lost, another authorised person can revoke the corresponding access permission – your personal, digital key. The major advantage here is that this can be done in a matter of seconds without having to replace the entire lock including the cylinder, unlike with conventional keys.
If the battery runs out or if a resident does not have a smartphone, extensions for the smart door lock can be a helpful solution. Nuki offers additional access solutions, for example. These include the Nuki Keypad, which requires a six-digit access code, or the Nuki Fob, a small Bluetooth remote control. Of course, the conventional key still works and can therefore also serve as a backup.
When using many Smart Home devices, it is necessary to create a user account. This data is then often stored in the cloud. Nuki has deliberately chosen a different way. After all, the most secure data is the data you don’t have to enter at all. All Nuki products (exception: Nuki Box) can be used without a user account. More information on user data protection
This applies to local use via Bluetooth as well as to remote access via WLAN. In both cases, personal and security-related data is only stored on your end devices. The only exception is Nuki Web. Activating Nuki Web is optional and very convenient in some cases: With Nuki Web you can manage your Nuki devices easily on your PC or laptop. A Nuki Web account is also required for some Smart Home systems like Google Home and Amazon Alexa. In addition the Nuki Web is a cloud service for which your data is cached on our servers.
To ensure a consistently high level of security, we provide regular software and app updates. This way, your devices and the app are constantly protected against new potential risks. There has never been a security-related incident in which a Nuki user has been harmed. Nevertheless, we recommend our users always keep the software of their Nuki products up to date.
This is how you update your devices:
Updating the Smart Lock, Opener and Bridge is done in just a few steps:
Make sure your smartphone is within Bluetooth range of the devices.
You will need the admin pin code of the Smart Lock. If you do not have it, contact the owner of the products. Or ask the owner directly to install the update.
Go to “Settings” > “Administration” > “Firmware Update”.
Tip: If you use your Smart Lock and/or your Opener with a Bridge, you should activate Auto Update on your smartphone. This way, updates will be installed automatically in the future.
These are the steps to install the update on Keypad and Fob:
You have to have direct access to the device itself.
Select “Manage my devices” in the menu and then click on the device type.
Then go to “Manage device” and connect the device as described in the app.
You can now install the firmware update.
We hope that we’ve managed to answer most of your questions about smart lock security. If you have any more questions, we’d be happy to add them to this post.