**Lup Yuen Lee 李立源** @lupyuen@qoto.org · 2022-07-25T14:48:47Z

Lup Yuen Lee 李立源 @lupyuen@qoto.org

Multiple vulnerabilities in Nuki Smart Locks (SWD port exposed)

https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/

Jul 25, 2022, 14:48 · · Tusky · · ·

**chrysn** @chrysn@chaos.social · Jul 25, 2022, 15:24

**chrysn** @chrysn@chaos.social · Jul 25, 2022, 15:24

Jul 25, 2022, 15:24

chrysn @chrysn@chaos.social

@lupyuen I wish the standard reply to that were not to "disable SWD" (or not have debug ports), but to configure chips to lock debugging until an erase-all command was issued, and to make tampering evident.

**chrysn** @chrysn@chaos.social · Jul 25, 2022, 15:25

**chrysn** @chrysn@chaos.social · Jul 25, 2022, 15:25

Jul 25, 2022, 15:25

chrysn @chrysn@chaos.social

@lupyuen Sure it's a bit more work, because it has to be made sure that when the device is erased there is no key material left on, say, still accessible external flashes. But given that vendor driven firmware updates usually end long before the hardware becomes unserviceable, that's what makes the difference between years of post-market usage and landfill.

Resources

Developers

What is Mastodon?

qoto.org

More…