The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it’s used. AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure. They use the system’s current unix timestamp to seed a non-cryptographically secure RNG. Because of this, the number of potential keys is significantly reduced and is practical to bruteforce.