Enlarge / A spectrum painted image made with KiwiSDR.
KiwiSDR is hardware that uses a software defined radio to monitor transmissions in a local area and stream them over the Internet. A predominantly hobby user does all sorts of cool things with the playing card-sized devices. For example, a Manhattan user could connect one to the internet so that people in Madrid, Spain, or Sydney, Australia can listen to AM radio broadcasts, CB radio calls, or even watch thunderstorms in Manhattan.
On Wednesday, users learned that their devices had been equipped with a back door for years, which allowed the KiwiSDR creator – and possibly others – to log into the devices with administrative system rights. The remote administrator could then make configuration changes and access data, not only for the KiwiSDR, but in many cases also for the Raspberry Pi, BeagleBone Black, or other computing devices that the SDR hardware is connected to.
A big trust problem
The traces of the back door in KiwiSDR are from at least 2017. The back door was recently removed without mentioning the removal under unclear circumstances. But despite the distance, users remain unsettled as the devices run as root on any computing device they are connected to and can often access other devices on the same network.
“It’s a big trust problem,” a user with the handle xssfox told me. “I wasn’t even aware that there was a back door, and it’s very disappointing to see the developer adding back doors and actively using them without consent.”
Xssfox said it operates two KiwiSDR units, one on a BeagleBone Black that uses a custom FPGA to power the Pride Radio Group, which allows people in and around Gladstone, Australia to listen to radio broadcasts. A page with public broadcasts shows that around 600 other devices are also connected to the Internet.
In my case, the KiwiSDRs are hosted in a remote location that is running other radio experiments. You could have gained access to these. Other KiwiSDR users have sometimes set them up remotely over other people / companies’ networks or on their home network. It’s a bit like the security camera back doors / exploits, but on a smaller scale [and] amateur radio operators only.
Software-defined radios use software – rather than the standard hardware found in traditional radios – to process radio signals. The KiwiSDR plugs into an embedded computer, which in turn shares local signals with a much wider base of people.
The back door is simple enough. With just a few lines of code, the developer can remotely access any device by entering its URL into a browser and appending a password to the end of the address. From there, the person using the back door can make configuration changes not only to the radio but, by default, to the underlying computing device it’s running on. Here is a video from xssfox using the back door on their device and getting root access on their BeagleBone.
Short video showing how the back door works on the kiwisdr.
I also tested that touch /root/kiwi.config/opt.no_console alleviates the problem
Thanks @ the6p4c for helping me test 🙂 pic.twitter.com/0xKD1NfvwL
– xssfox (@xssfox) July 15, 2021
Here is a picture in higher resolution:
“It looks like the SDR … will be plugged into a BeagleBone Arm Linux board,” said HD Moore, a security researcher and CEO of the Rumble network discovery platform. “This shell is on this Linux board. If you compromise it, you can get into the user’s network. “
The back door lives on
Xssfox said that the underlying computing device – and possibly other devices on the same network – can be accessed as long as a setting called “Console Access” is enabled, as it does by default. Disabling access requires a change to either the admin interface or a configuration file that many users likely haven’t made. In addition, many devices are rarely, if ever, updated. Even if the KiwiSDR developer removed the offensive code, the backdoor will live on in devices, making them vulnerable to takeovers.
Software submissions and technical documents like this name the developer of KiwiSDR as John Seamons. Seamons did not respond to an email requesting a comment on this post.
The user forums were not available at the time of publication. However, screenshots here and here seem to show that Seamons conceded the back door back in 2017.
Another worrying aspect of the back door is that, as engineering user Mark Jessop noted, it communicated over an HTTP connection and made the clear text password and data available through the back door network to anyone who was inbound or outbound could monitor the device.
However, since KiwiSDR is all HTTP, sending an essentially ‘master’ password in clear text is a little unsettling. KiwiSDR doesn’t support HTTPS and it has been stated that it will never support it. (Dealing with certificates would also be a PITA)
– Mark Jessop (@ vk5qi) July 14, 2021
KiwiSDR users who want to check that their devices have been accessed remotely can do so by running the command
zgrep – “PWD-Admin” / var / log / messages *
There is no evidence that anyone used the backdoor to do malicious things, but the very existence of this code and its obvious use over the years to access user devices without permission is a security breach in itself – and a worrying one yet to. Users should at least check their devices and networks for signs of compromise and update to v1.461. The really paranoid should consider unplugging their devices until more details are available.
Offer image from KiwiSDR