CVE-2023-31761

Vulnerability

The Blitzwolf BW-IS22 Smart Home Security Alarm running firmware v1.0 communicates with its remote keyfob using 433MHz RF signals. The device does not implement rolling codes, meaning each keypress transmits the same fixed code [1]. This design weakness allows an attacker to capture the RF transmission with a software-defined radio (SDR) and replay it to trigger the same action [1][2]. The vulnerability exists in the transmitter and the base station's lack of code verification for replay protection [1][2].

Exploitation

An attacker needs physical proximity to the target alarm (within the 433MHz transmission range, typically tens of meters) and a software-defined radio (e.g., RTL-SDR) with appropriate software to capture and replay RF signals [1]. The attacker first records the transmissions of the arm or disarm button press from the legitimate keyfob. The captured raw IQ data is identical for each keypress [1]. The attacker then transmits the recorded signal using a compatible RF transmitter, causing the base station to execute the replayed command as if it came from the authorized keyfob [1][2]. No authentication or user interaction is required beyond the initial capture of a single transmission [1][2].

Impact

A successful attack allows the attacker to remotely arm or disarm the Blitzwolf BW-IS22 alarm at will, effectively gaining full control over the alarm system's state [1]. This compromises the system's integrity and availability, as the attacker can disable the alarm before a physical intrusion or set it off to cause a nuisance. The confidentiality of the premises is undermined because the alarm's deterrent function is nullified [1].

Mitigation

As of the disclosure date (May 13, 2023) and the latest available references, no firmware update or patch has been issued for the Blitzwolf BW-IS22 [2]. The vendor has not addressed the vulnerability, and given that the root cause is a hardware-level lack of rolling code support, a software-only fix is unlikely [2]. Users are advised to consider replacing the device with a system that uses rolling codes or a hardwired alarm. The devices are not listed on the CISA KEV catalog as of the publication date.