Nuki opener security remote access cannot be switched off / Need for GPS location based remote access restriction

Product name

NUKI OPENER

Summary

If the Opener is connected to a bridge, the smartphone Nuki app for an authorized user ( non admin) will open the door from anywhere in the world and that, whether or not the remote access has been authorized for the given user.

This is a fundamentally insecure design error and leaves the system wide open to a user opening the door by mistake from another location or or even by someone unauthorized in possession of the user’s phone. It should be possible to limit the use of the app to ONLY when the phone is in physical proximity to the opener - in or near the building.

Switching off or on remote access in Nuki web for a non-admin user of the opener makes no difference at all. The remote access from anywhere remains.

Have discussed this with NUKI Support. They inform that such limitation is available for the Smart lock, but not for the Opener + Bridge. So the NUKI team know how to do it. The support say that they no information about any planned implementation for the opener.

I am astonished that NUKI would think to leave such a hole in the security of the Opener. It is absolutely not OK !

Features

My preference for ‘Located in the building’ is that the user’s smartphone is within range and connected to the same pre-defined SSID as the bridge.
The Nuki app location function can also geo-sense that the phone is in or near the building.

Reason

We are a school. We want our teachers to open the door with the Nuki app ONLY when they are in the building, not by mistake from home or from holiday on some far away island or by someone else with the user’s phone.

We tried to workaround by unplugging the bridge and relying on Bluetooth. But that is not practical because reestablishing the Bluetooth connection at each entry to the building is too slow and sometimes need 3 or 4 attempts or does not work at all.

Examples

The use case is very clear.
When the non-admin user of the app is away from the building: the opener should present as off line (or unavailable).
When the user approaches the door with their phone : the app notifies that it has connected either via the named wifi to the opener or the location geo-sensing has recognized where it is: The user then can open the door with the app.

Note to Jürgen Pansy 20.5.2022, Thanks for your reply about location awareness and suggestion to make this a feature request, but:

In the discussion forum ‘opener-with-bridge-a-serious-security-breach’, Jürgen Pansy says that you can turn off remote access for each user. That is the point of this feature request. Unless there is some nuance about naming the door (mine is called Porte1), which Nuki support do not know about, turning off remote access for a user has no effect. Whatever setting for the user’s remote access, the non-admin user can open the door from anywhere.

Jürgen PansyJuergenNUKI

Dec 21

If you have your Opener properly configured as “other Door” you can turn on/off remote access for each user individually:

IMAGE 2021-12-27 12:23:18591×1280 29.4 KB

“Other door” has nothing to do with the name of the door. It relates to garden doors and other doors where the Opener can be mounted. Follow the guide for wiring the Opener with unknown intercom systems und you will know what i’m talking of.

Hello Jurgen, Thanks for the prompt reply. We have a known intercom urmet 1133/15. We have configured it and it works. Can you be specific about what exactly it is in the configuration that stops the Remote Access when that setting switched off in the user management ?

Enabling or disabling remote access is not supported when the Opener is used together with an intercom, because it would confuse (most) users if it is done the same way than with the Smart Lock (i.e. by letting the user use the bridge or not based on this setting). Therefore the remote access switch should not be shown in your case (which i guess is a bug in the Apps and we’ll have to follow up on that. This is also why it’s not working, because the firmware of the Opener ignores the setting).

What makes more sense from an end consumer perspective with the Opener connected to an intercom is “a GPS location based remote access restriction”. This does not exist today and is probably what your feature request should be about.

« GPS location based remote access restriction »
Yes that is one way of removing remote access from non-admin users.
What is « confusing » however is the omission of this from the Opener system by Nuki developers. Try explaining that to an insurance assessor when the theft shows no evidence of break in. No, this is not just a feature request, it’s an essential part of the product security that is missing if a non admin user can open the door from anywhere.

As concerns users’ understanding, given the diy tech involved in configuring and connecting the Opener, they have to be made of sterner stuff than you apparently suppose. Confusion indeed!?

I see your sensitivity about GPS location versus named wifi connection. But where is the problem? A connection to a named wifi ssid is not particularly different in principle to a Bluetooth connection to a named Opener device. Certainly better than accidental remote access from a beach bar on a Greek island!

Multiple problems starting from the need to configure the SSID somewhere manually and ending with the problem that most people do not have a WIFI in front of a multi party building. GPS is the much more universal approach which is the reason why it is used by Nuki already for such tasks.

That is the issue. Nuki is NOT using GPS, or any other way like the wifi connection, to limit remote access from smart phone app to the Opener to the proximity of the relevant building. For further example, if your phone does not have ‘location’ switched on, the app will ask you anyway if you want to open the door.
Nuki needs to study and reinforce the security of the Opener and certainly provide a way to limit the remote access for non-admin users.

Yes, this is what i wrote above:

And this is what you are requesting here in this feature request.
My last comment was just whether a GPS or WIFI SSID based restriction makes more sense to use for that.

“GPS location based remote access restriction” cannot be considered as security feature, as GPS location can be easily forged.