CVE-2023-31762

Vulnerability

The Digoo DG-HAMB Smart Home Security System firmware v1.0 uses 433MHz RF communication between the remote keyfob and the base station without implementing rolling codes [1]. This means that each button press on the keyfob (arm/disarm) transmits the same fixed code every time. An attacker with a software-defined radio (SDR) can capture these transmissions and replay them to trigger alarm actions. The same weakness is present in related devices from Kerui, Blitzwolf, and AGSHome [2].

Exploitation

An attacker needs a software-defined radio (SDR) and a capture/playback tool (e.g., SDR#) to capture the RF signal from the keyfob [1]. The attacker must be within radio range of the target system (typically 433MHz range) and record the transmission when the legitimate user presses a button (e.g., arm/disarm). Since the code is static, the attacker can simply replay the captured signal to the base station to arm or disarm the alarm at will [1][2]. No authentication or additional privileges are required beyond proximity.

Impact

Successful exploitation allows an attacker to remotely arm or disarm the alarm system without any physical access or credentials [1]. This grants full control over the security system's state, bypassing the intended security function. The attack does not disclose sensitive data but directly undermines the system's integrity and availability, as an attacker can disable the alarm to facilitate a physical intrusion or reset the system repeatedly.

Mitigation

As of May 13, 2023, no firmware fix or update has been issued for the Digoo DG-HAMB v1.0 [2]. The vendor has not released a patch, and because the vulnerability is rooted in the hardware design (fixed RF codes), the author believes it cannot be rectified with software updates alone [2]. Users are advised to replace the device with one that uses rolling codes or wired communication. The vulnerability is not listed on CISA KEV as of this writing.