Summary
Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack.
Details
The vulnerability stems from the use of an insecure, fixed-code authentication mechanism in the PF-50 keyfob. Unlike modern secure systems that implement rolling codes or nonce-based handshakes, the PGST PG107 relies on a static bitstream that remains identical for every transmission of a specific command.
When a user presses a button on the keyfob the device broadcasts a predictable RF signal. Because the alarm base station does not verify the freshness or the sequence of the received frame, it blindly accepts any signal that matches the pre-stored static code.
Once a frame is captured, it can be stored and re-broadcasted indefinitely to trigger the corresponding action on the alarm system, effectively rendering the physical security measures obsolete.
Signal and Frame Analysis
As shown in the provided evidence, the system lacks any dynamic rotation. Each button press generates a pulse train consisting of 16 identical frames. By capturing multiple separate pulse trains and comparing them in a multi-track view, it was confirmed that the bitstream remains constant across different events.
Figure 1: Waterfall view showing the raw RF signal captured at 433.92 MHz during a keyfob button press.
Figure 2: Comparison of multiple distinct pulse trains captured from different presses of the same button, confirming they are identical and lack rolling-code protection.
Figure 3: Analysis of different RF pulse train, showing the demodulated waveform and its decoded static hexadecimal value 273C61.
The identity between these captures proves the implementation of a fixed-code protocol. The base station accepts any frame matching the stored UID and command bits, regardless of when it was recorded or how many times it has been used.
PoC
The following scenario illustrates the exploitation of the fixed-code vulnerability using standard RF tools:
-
The owner operates the keyfob. Using an SDR or an RF cloner, the attacker records the 433MHz transmission for the emited command.
-
The attacker replay the recorded frame. The PG107 base station recognizes the static code as a valid authorized command and changes the system state.
Impact
The lack of rolling codes represents a critical failure in the physical access control of the premises. An attacker can record the Disarm signal when the owner is leaving and later replay it to gain full access to the property without triggering any alerts. Since the system cannot distinguish between a legitimate keyfob and a replayed signal, there is a total loss of integrity and non-repudiation in the alarm’s state management.
At the time of this publication, there is no official patch or remediation available from the vendor.
Disclosure Timeline
| Date |
Event |
| 2025-11-29 |
Initial report sent to MITRE. |
| 2025-12-15 |
CVE ID reserved/assigned by MITRE. |
| 2026-02-11 |
Public disclosure. |
Credits
Adrià Pérez Montoro (b1n4ri0)