CVE-2022-32509
📋 TL;DR
This vulnerability allows attackers to intercept and tamper with data transmitted to Nuki smart lock devices due to lack of certificate validation in HTTP communications. It affects Nuki Smart Lock 3.0, Nuki Bridge v1, and Nuki Bridge v2 devices. Attackers can perform man-in-the-middle attacks to manipulate lock commands and potentially gain unauthorized access.
💻 Affected Systems
- Nuki Smart Lock 3.0
- Nuki Bridge v1
- Nuki Bridge v2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept and modify lock/unlock commands, gain physical access to secured premises, or disable security features entirely.
Likely Case
Attackers intercepting communications could manipulate lock states, track user activity, or disrupt smart home functionality.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential service disruption without physical access compromise.
🎯 Exploit Status
Man-in-the-middle attacks require network access but are well-documented and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Smart Lock 3.0: 3.3.5+, Bridge v1: 1.22.0+, Bridge v2: 2.13.2+
Vendor Advisory: https://nuki.io/en/security-updates/
Restart Required: Yes
Instructions:
1. Open Nuki app. 2. Check for firmware updates. 3. Apply available updates. 4. Devices will restart automatically after update.
🔧 Temporary Workarounds
Network segmentation
allIsolate smart lock devices on separate VLAN to limit attack surface
Disable remote access
allTemporarily disable internet connectivity for affected devices
🧯 If You Can't Patch
- Isolate devices on separate network segment with strict firewall rules
- Monitor network traffic for unusual HTTP patterns or certificate validation failures
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Nuki app: Settings > Device Information > Firmware VersionCheck Version:
N/A - Use Nuki mobile app interfaceVerify Fix Applied:
Confirm firmware version is at or above patched versions: Smart Lock 3.0 ≥ 3.3.5, Bridge v1 ≥ 1.22.0, Bridge v2 ≥ 2.13.2📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation attempts
- Unusual HTTP traffic patterns to lock devices
Network Indicators:
- Unencrypted HTTP traffic to Nuki devices
- Man-in-the-middle attack patterns
SIEM Query:
N/A - Device-specific logging not typically available in enterprise SIEM🔗 References
- https://latesthackingnews.com/2022/07/28/multiple-security-flaws-found-in-nuki-smart-locks/
- https://nuki.io/en/security-updates/
- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/
- https://www.hackread.com/nuki-smart-locks-vulnerabilities-plethora-attack-options/
- https://latesthackingnews.com/2022/07/28/multiple-security-flaws-found-in-nuki-smart-locks/
- https://nuki.io/en/security-updates/
- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/
- https://www.hackread.com/nuki-smart-locks-vulnerabilities-plethora-attack-options/
