xssfox
KiwiSDR is hardware that uses a software-defined radio to monitor transmissions in a local area and stream them over the Internet. A largely hobbyist group of users are doing all sorts of cool things with the playing card sized devices. For example, a user in Manhattan can connect one to the Internet so that people in Madrid, Spain or Sydney, Australia can listen to AM radio broadcasts, CB radio calls, or even watch Manhattan thunderstorms.
On Wednesday, users learned that for years their devices had been equipped with a backdoor that allowed the KiwiSDR maker – and possibly others – to log into the devices with administrative system privileges. The remote administrator can then make configuration changes and access data not only for the KiwiSDR, but in many cases for the Raspberry Pi, BeagleBone Black or other computing devices to which the SDR hardware is connected.
A major trust issue
Signs of the backdoor in the KiwiSDR date back to at least 2017. The backdoor was recently removed with no mention of its removal under unclear circumstances. But despite the removal, users remain upset because the devices run as root on every computing device they are connected to and often access other devices on the same network.
“It’s a big trust issue,” one user with the handle xssfox told me. “I didn’t know there was a backdoor at all, and it’s extremely disappointing to see the developer add backdoors and actively use them without permission.”
Xssfox said she uses two KiwiSDR devices, one on a BeagleBone Black that uses a custom FPGA to run the Pride Radio Group, which allows people to listen to radio broadcasts in and around Gladstone, Australia. A page with public broadcasts shows that there are about 600 other devices connected to the internet.
Xssfox added:
In my case, the KiwiSDRs are hosted on an external site where other radio experiments are performed. They could have accessed that. Other KiwiSDR users have sometimes set them up in remote locations using other people’s/company’s networks or on their home network. It’s kind of like security camera backdoors/exploits, but on a smaller scale [and] radio amateurs only.
Software-defined radios use software – rather than the standard hardware found in traditional radio equipment – to process radio signals. The KiwiSDR plugs into an embedded computer, which in turn shares local signals with a much wider range of people.
The back door is simple enough. With a few lines of code, the developer can remotely access any device by entering the URL into a browser and adding a password to the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device, but by default to the underlying computing device it runs on. Here’s one video from xssfox using the backdoor on her device and gaining root access to her BeagleBone.
Quick video showing how the backdoor works on the kiwisdr.
I also tested that touch /root/kiwi.config/opt.no_console fixes the problem
Thank you @the6p4c for helping testing 🙂 pic.twitter.com/0xKD1NfvwL
— xssfox parody account (@[email protected]) (@xssfox) July 15, 2021
Here’s a higher resolution image:
“It looks like the SDR… will be plugged into a BeagleBone Arm Linux board,” HD Moore, a security expert and CEO of network discovery platform Rumble, told me. “This shell is on that Linux board. If you compromise it, you could end up in the user’s network.”
The back door lives on
Xssfox said that access to the underlying computing device — and possibly other devices on the same network — occurs as long as a setting called “console access” is enabled, as it is by default. Disabling access requires a change in the administrative interface or a configuration file, which probably hasn’t been made by many users. In addition, many devices are rarely if ever updated. So even though the KiwiSDR developer has removed the offending code, the backdoor will live on devices, leaving them vulnerable to takeover.
Software submissions and technical papers such as this one name the developer of KiwiSDR as John Seamons. Seamons did not respond to an email requesting comment for this entry.
The user forums were not available at the time of publishing. Screenshots here And herehowever, seem to show Seamons giving in to the back door as early as 2017.
Another disturbing aspect of the backdoor is that, like noted by engineer user Mark Jessopit communicated over an HTTP connection, exposing the readable password and data through the backdoor network to anyone who could monitor the traffic entering or exiting the device.
However, since the KiwiSDR is HTTP only, sending what is essentially a ‘master’ password clearly is a bit concerning. KiwiSDR does not support HTTPS and has been said it will never support it. (Dealing with certificates on it would also be a PITA)
— Mark Jessop – @[email protected] (@vk5qi) July 14, 2021
KiwiSDR users who want to check if their devices have been accessed remotely can do so by running the command
zgrep -- "PWD admin" /var/log/messages*
There is no evidence that anyone has used the backdoor to do malicious things, but the mere existence of this code and its apparent use over the years to gain unauthorized access to users’ devices is in itself a security breach – and a disturbing one at that. As a minimum, users should inspect their devices and networks for signs of compromise and upgrade to v1.461. The truly paranoid should consider unplugging their devices until more details become available.
List image by KiwiSDR