For years, a backdoor in the popular KiwiSDR product gave roots to the project developer.

Kiwi SDR screenshot.

A spectrum painted image made with KiwiSDR.
Enlarge / A spectrum painted image made with KiwiSDR.


KiwiSDR is hardware that uses a software defined radio to monitor broadcasts in a local area and transmit them over the Internet. A mostly hobbyist user base does all sorts of cool things with card-sized devices. For example, a user in Manhattan could connect one to the Internet so that people in Madrid, Spain, or Sydney, Australia, could listen to AM radio broadcasts, CB radio conversations, or even watch thunderstorms in Manhattan.

On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the creator of KiwiSDR, and possibly others, to log into the devices with administrative system rights. The remote administrator could then make configuration changes and access data not only for KiwiSDR but, in many cases, for Raspberry Pi, BeagleBone Black, or other computing devices to which the SDR hardware is connected.

A big trust issue

The back door signs in KiwiSDR date back to at least 2017. The back door was recently removed with without mention removal in unclear circumstances. But despite the removal, users remain fidgety as the devices run as root on whatever computing device they are connected to and can often access other devices on the same network.

“It’s a big trust problem”, a user with the identifier xssfox he told me. “I didn’t fully know there was a backdoor, and it’s very disappointing to see the developer adding backdoors and actively using them without consent.”

Xssfox said it runs two KiwiSDR devices, one on a BeagleBone Black who uses a custom FPGA to run the Pride Radio Group, which allows people to listen to radio broadcasts in and around Gladstone, Australia. TO page of public broadcasts shows that approximately 600 other devices are also connected to the Internet.

Xssfox added:

In my case, the KiwiSDRs are hosted on a remote site that has other radio experiments running. They could have gotten access to those. Other KiwiSDR users sometimes configure them in remote locations using other people’s / companies’ networks, or on their home network. It’s kind of like security camera vulnerabilities or back doors, but on a smaller scale. [and] just ham radio people.

Software-defined radios use software, rather than the standard hardware found in traditional radio equipment, to process radio signals. The KiwiSDR connects to an integrated computer, which in turn shares local signals with a much larger base of people.

The back door is pretty simple. A few lines of code allow the developer to remotely access any device by entering its URL in a browser and adding a password to the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device but, by default, also to the underlying computing device that it runs on. Here is a video from xssfox by using the back door of your device and gaining root access to your BeagleBone.

Here’s a higher resolution image:

“It looks like the SDR … plugs into a BeagleBone Arm Linux board,” HD Moore, security expert and CEO of network discovery platform Rumble, told me. “This shell is on that Linux board. If you do, you can enter the user’s network. “

The back door is still alive

Xssfox said that access to the underlying computing device, and possibly other devices on the same network, occurs as long as a setting called “console access” is enabled, as it is by default. Disabling access requires a change to the admin interface or a configuration file, which is unlikely that many users have made. Also, many devices are rarely, if ever, updated. So even though the KiwiSDR developer has removed the offending code, the back door will remain on the devices, making them vulnerable to acquisition.

Shipments of software and technical documents such as East name the KiwiSDR developer John Seamons. Seamons did not respond to an email seeking comment for this post.

User forums were not available at the time of publication. Screenshots here Y hereIt does, however, appear to show Seamons admitting the back door as early as 2017.

Another worrying aspect of the back door is that, as indicated by user engineer Mark Jessop, communicated over an HTTP connection, exposing the plaintext password and data over the backdoor network to anyone who could monitor the traffic entering or leaving the device.

KiwiSDR users who want to check if their devices have been accessed remotely can do so by running the command

zgrep -- "PWD admin" /var/log/messages*

There is no indication that someone used the back door to do malicious things, but the very existence of this code and its apparent use over the years to access users’ devices without permission is itself a breach of safety, and also disturbing. At a minimum, users should inspect their devices and networks for signs of compromise and update to v1.461. The truly paranoid should consider unplugging their devices until more details are available.

Image listing by KiwiSDR

Leave a Reply

Your email address will not be published. Required fields are marked *