-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-006
Product:                   Tiiwee X1 Alarm System
Manufacturer:              Tiiwee B.V.
Affected Version(s):       TWX1HAKV2
Tested Version(s):         TWX1HAKV2
Vulnerability Type:        Authentication Bypass by Capture-replay 
                           (CWE-294)
Risk Level:                CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Solution Status:           Open
Manufacturer Notification: 2025-01-27
Public Disclosure:         2025-05-12
CVE Reference:             CVE-2025-30072
Author of Advisory:        Sebastian Auwärter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Overview:

Tiiwee X1 Alarm System is an alarm system which contains a base station
and
various components like motion detectors, door sensors and remotes. The
components communicate via 433 MHz radio signals.

The manufacturer describes the product as follows (see [2]):

"The Tiiwee Alarm Kit is a versatile alarm system that detects if
people or
animals are entering your home or shop."

Due to missing security features like key rolling or encryption in the
433 MHz 
radio communication, the alarm system is vulnerable to replay attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Vulnerability Details:

The radio signal of the alarm system remote can be captured and
replayed using
appropriate antennae and, for example, software-defined radio software.
Once
any signal from the software is captured, it can be either directly
replayed
(in case the "disarm" signal is captured) or recalculated and sent (in
case
only the "arm" signal is captured).

According to the Flipper Zero (see [3]) used, the protocol is
"Princeton",
which contains an ID that is being evaluated for arming and disarming
the
alarm system. For calculating the ID of the signal for disarming if
only the
signal for arming has been captured, subtract two from the ID.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Proof of Concept (PoC):

Using a Flipper Zero hardware, go to Sub-GHz. Read and capture the
signals for
disarming the alarm system by pressing the disarm button on a remote.
Arm the
alarm system again by pressing the arm button on the remote. Now, the
alarm
system can be disarmed again by selecting and sending the captured
signal using
the Flipper Zero.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Solution:

Do not use this device if capture replay attacks are a valid attack
vector for
your assets.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Disclosure Timeline:

2025-01-22: Vulnerability discovered
2025-01-27: Vulnerability reported to manufacturer
2025-05-12: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

References:

[1] Amazon link for the Tiiwee X1 Alarm System
    https://www.amazon.de/dp/B08B8T95NH
[2] Product manual for the Tiiwee X1 Alarm System
   
https://cdn.shopify.com/s/files/1/1880/6197/files/Manual_Tiiwee_X1_ALL_LANGUAGES_WEB.pdf?406
[3] Flipper Zero homepage
    https://flipperzero.one/
[4] SySS Security Advisory SYSS-2025-006
   
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-006.txt
[5] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Credits:

This security vulnerability was found by Sebastian Auwärter of SySS
GmbH.

E-Mail: sebastian.auwaerter@syss.de
LinkedIn: https://de.linkedin.com/in/sebastian-auw%C3%A4rter-156035305
Public Key: https://www.syss.de/kontakt/pgp-keys
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS 
website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAmgi8DwACgkQ6aMNSOLw
qLaYFA/9FPRpn9F+eNEyQe205Kvu0Fwyq9eLOiDHkFDhnx3AFwg/AnrLqFoxjuRA
r2G5RGc6CluvRTaR5y40F6wCb4QhGr51UhhClRcfQJ7wt0yOAGwiAEMgHHDjDcc/
Tm2O/zHPheS+MGHA/S7jUU2nCac/0/T1IJr5KaWJ7jOsR+2v8fLXk3fG5wX3sSNe
b4bPkSR6Sjtx7nEdTnEsSbU2bT5h/0PEQdtBEv6vOGNpDmAWCyNgAnnuhCuH8jy0
6/19vQeb5Wu+dA+x3z/n4jrHTW8U5WkemCWDZoCtCQ+XDL0fSsipsQJ+Au/Bv2rT
yB+/8nakbvcxb6kPwkqOJ4cUMUIeHO6xUcM15I3pivvdmFQIR8uwzQOLSYji0tQG
6bA3HZ8gFBsIfDkwdevaXWiq+dlbVJKUEO8bnb0tIDeSw/KoAmWTV7Hcmu8Fai4g
fpYfi0G6BcQL5SrXww6Ouhv9N3SmeR6Dn+HYNOGC4vfmyMlkpmjMmaHNGLHacqhy
J6+FNQKgfhE027mQnJaMP8SQoK8bpeNyEmUEdAIZa/YHJywcCAQ5g8SqYwwnewm2
LAUnT++BHRYB4jPplvkfCVP1dGGCSuVxErDV6xruK9WZjyDcz4rImhd38Tf2JiOA
AXbhtaffbSGKwGTEj7GnXhfgxNipFq570fWnAx+bkbEmWRLdJAo=
=ANhN
-----END PGP SIGNATURE-----