Freedom Factory dGEN1 Improper Authorization Vulnerability in Alarm Service

A broken authorization vulnerability has been identified in the Freedom Factory dGEN1 application, specifically in versions prior to 20260221. The issue resides within the AlarmService component of the com.dgen.alarm package. The vulnerability allows local applications to manipulate an exported BroadcastReceiver, StopReceiver, without proper authorization. This exploitation can lead to the unauthorized cancellation of active alarms, dismissal of alarm notifications, and removal of scheduled alarms, all without user interaction. Consequently, users may miss important alerts or reminders.

Impact

Exploitation of this vulnerability allows a local malicious application to disrupt the functionality of the alarm system by canceling active alarms, dismissing related notifications, and preventing scheduled alarms from ringing. This creates a denial-of-service condition regarding alarm reliability, causing users to miss critical time-sensitive notifications.

Reproduction

To reproduce this vulnerability, a local malicious application must be installed on a device running Freedom Factory dGEN1 prior to 20260221. The malicious application can then send a broadcast to the StopReceiver BroadcastReceiver, which is exported and lacks any permission requirements or caller validation. This broadcast will be received by the AlarmService, which will stop the service, cancel the active alarm notification, and delete any scheduled alarms using the AlarmManager, all without user awareness.

Remediation

The StopReceiver should be marked as 'android:exported="false"' if external access is not needed. If it must remain exported, a custom permission should be enforced to control access, and the receiver should validate the identity of the caller. Alternatively, alarm-control actions could be restricted to internal application components only.