Tiiwee X1 Alarm System Authentication Bypass Vulnerability Allowing Physical Access

An authentication bypass vulnerability has been identified in the Tiiwee X1 Alarm System model TWX1HAKV2. This vulnerability allows attackers to bypass authentication mechanisms through capture-replay attacks, enabling physical access to protected facilities without triggering an alarm. The issue arises from unencrypted 433 MHz radio communications between the alarm system's components, such as remotes and sensors, which can be intercepted and replayed using devices like the Flipper Zero.

Impact

Exploiting this vulnerability can lead to unauthorized disarmament of the alarm system, allowing individuals to access secured areas without detection.

Reproduction

To reproduce this vulnerability, capture the 433 MHz radio signal from a Tiiwee X1 remote using a Flipper Zero device. After capturing the 'disarm' signal, the alarm can be disarmed by replaying this signal. Alternatively, if only the 'arm' signal is captured, the 'disarm' signal can be recalculated and sent by subtracting two from the signal's ID.

Remediation

There is no available patch for this vulnerability. Users are advised not to use this device if capture-replay attacks pose a risk to their security.