KiwiSDR is hardware that uses a software defined radio to monitor broadcasts in a local area and transmit them over the Internet. A mostly hobbyist user base does all sorts of cool things with card-sized devices. For example, a user in Manhattan could connect one to the Internet so that people in Madrid, Spain, or Sydney, Australia, could listen to AM radio broadcasts, CB radio conversations, or even watch thunderstorms in Manhattan.
On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the creator of KiwiSDR, and possibly others, to log into the devices with administrative system rights. The remote administrator could then make configuration changes and access data not only for KiwiSDR but, in many cases, for Raspberry Pi, BeagleBone Black, or other computing devices to which the SDR hardware is connected.
A big trust issue
The back door signs in KiwiSDR date back to at least 2017. The back door was recently removed with without mention removal in unclear circumstances. But despite the removal, users remain fidgety as the devices run as root on whatever computing device they are connected to and can often access other devices on the same network.
“It’s a big trust problem”, a user with the identifier xssfox he told me. “I didn’t fully know there was a backdoor, and it’s very disappointing to see the developer adding backdoors and actively using them without consent.”
Xssfox said it runs two KiwiSDR devices, one on a BeagleBone Black who uses a custom FPGA to run the Pride Radio Group, which allows people to listen to radio broadcasts in and around Gladstone, Australia. TO page of public broadcasts shows that approximately 600 other devices are also connected to the Internet.
In my case, the KiwiSDRs are hosted on a remote site that has other radio experiments running. They could have gotten access to those. Other KiwiSDR users sometimes configure them in remote locations using other people’s / companies’ networks, or on their home network. It’s kind of like security camera vulnerabilities or back doors, but on a smaller scale. [and] just ham radio people.
Software-defined radios use software, rather than the standard hardware found in traditional radio equipment, to process radio signals. The KiwiSDR connects to an integrated computer, which in turn shares local signals with a much larger base of people.
The back door is pretty simple. A few lines of code allow the developer to remotely access any device by entering its URL in a browser and adding a password to the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device but, by default, also to the underlying computing device that it runs on. Here is a video from xssfox by using the back door of your device and gaining root access to your BeagleBone.
Quick video showing how the rear door of the kiwisdr works.
I also tested that the /root/kiwi.config/opt.no_console touch mitigates the problem
– xssfox (@xssfox) July 15, 2021
Here’s a higher resolution image:
“It looks like the SDR … plugs into a BeagleBone Arm Linux board,” HD Moore, security expert and CEO of network discovery platform Rumble, told me. “This shell is on that Linux board. If you do, you can enter the user’s network. “
The back door is still alive
Xssfox said that access to the underlying computing device, and possibly other devices on the same network, occurs as long as a setting called “console access” is enabled, as it is by default. Disabling access requires a change to the admin interface or a configuration file, which is unlikely that many users have made. Also, many devices are rarely, if ever, updated. So even though the KiwiSDR developer has removed the offending code, the back door will remain on the devices, making them vulnerable to acquisition.
Shipments of software and technical documents such as East name the KiwiSDR developer John Seamons. Seamons did not respond to an email seeking comment for this post.
Another worrying aspect of the back door is that, as indicated by user engineer Mark Jessop, communicated over an HTTP connection, exposing the plaintext password and data over the backdoor network to anyone who could monitor the traffic entering or leaving the device.
However, since KiwiSDR is HTTP only, sending what is essentially a clear ‘master’ password is a bit of a concern. KiwiSDR does not support HTTPS and it has been said that it will never support it. (Dealing with certifications would also be a PITA)
– Mark Jessop (@ vk5qi) July 14, 2021
KiwiSDR users who want to check if their devices have been accessed remotely can do so by running the command
zgrep -- "PWD admin" /var/log/messages*
There is no indication that someone used the back door to do malicious things, but the very existence of this code and its apparent use over the years to access users’ devices without permission is itself a breach of safety, and also disturbing. At a minimum, users should inspect their devices and networks for signs of compromise and update to v1.461. The truly paranoid should consider unplugging their devices until more details are available.
Image listing by KiwiSDR