For years, a backdoor in popular KiwiSDR product gave root to project developer
KiwiSDR is hardware that uses a software-defined radio to monitor transmissions in a local area and stream them over the Internet. A largely hobbyist base of users does all kinds of cool things with the playing-card-sized devices. For instance, a user in Manhattan could connect one to the Internet so that people in Madrid, Spain, or Sydney, Australia, could listen to AM radio broadcasts, CB radio conversations, or even watch lightning storms in Manhattan.
On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi, BeagleBone Black, or other computing devices the SDR hardware is connected to.
A big trust problem
Signs of the backdoor in the KiwiSDR date back to at least 2017. The backdoor was recently removed with no mention of the removal under unclear circumstances. But despite the removal, users remain rattled since the devices run as root on whatever computing device they’re connected to and can often access other devices on the same network.
“It’s a big trust problem,” a user with the handle xssfox told me. “I was completely unaware that there was a backdoor, and it’s hugely disappointing to see the developer adding backdoors in and actively using them without consent.”
Xssfox said she runs two KiwiSDR devices, one on a BeagleBone Black that uses a custom FPGA to run the Pride Radio Group, which lets people listen to radio transmissions in and around Gladstone, Australia. A page of public broadcasts shows that roughly 600 other devices are also connected to the Internet.
In my case, the KiwiSDRs are hosted on a remote site that has other radio experiments running. They could have gained access to those. Other KiwiSDR users sometimes have them set up in remote locations using other people’s/companies’ networks, or on their home network. It’s sort of like the security camera backdoors/exploits, but smaller-scale [and] just amateur radio people.
Software-defined radios use software—rather than the standard hardware found in traditional radio equipment—to process radio signals. The KiwiSDR attaches to an embedded computer, which in turn shares local signals with a much wider base of people.
The backdoor is simple enough. A few lines of code allow the developer to remotely access any device by entering its URL in a browser and appending a password to the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device but, by default, also to the underlying computing device it runs on. Here’s a video of xssfox using the backdoor on her device and getting root access to her BeagleBone.
Quick video showing how the backdoor on the kiwisdr works.
I’ve also tested that touch /root/kiwi.config/opt.no_console mitigates the issue
Thanks @the6p4c for helping me test 🙂 pic.twitter.com/0xKD1NfvwL
— xssfox (@xssfox) July 15, 2021
Here’s an image in higher resolution:
“It looks like the SDR… plugs into a BeagleBone Arm Linux board,” HD Moore, a security expert and CEO of network discovery platform Rumble, told me. “This shell is on that Linux board. Compromising it may get you into the user’s network.”
The backdoor lives on
Xssfox said that access to the underlying computing device—and possibly other devices on the same network—happens as long as a setting called “console access” is turned on, as it is by default. Turning the access off requires a change to either the admin interface or a configuration file, which many users are unlikely to have made. Additionally, many devices are updated rarely, if ever. So even though the KiwiSDR developer has removed the offending code, the backdoor will live on in devices, making them vulnerable to takeover.
Software submissions and technical documents like this one name the developer of KiwiSDR as John Seamons. Seamons didn’t respond to an email seeking comment for this post.
The user forums were unavailable at the time of publication. Screenshots here and here, however, appear to show Seamons admitting to the backdoor as long ago as 2017.
Another troubling aspect to the backdoor is that, as noted by engineer user Mark Jessop, it communicated over an HTTP connection, exposing the plaintext password and data over the backdoored network to anyone who could monitor the traffic coming into or out of the device.
However, given the KiwiSDR is HTTP only, sending what is essentially a ‘master’ password in the clear is a little worrying. KiwiSDR does not support HTTPS, and it’s been stated that it will never support it. (Dealing with certs on it would be a PITA too)
— Mark Jessop (@vk5qi) July 14, 2021
KiwiSDR users who want to check if their devices have been remotely accessed can do so by running the command
zgrep -- "PWD admin" /var/log/messages*
There’s no indication that anyone has used the backdoor to do malicious things, but the very existence of this code and its apparent use over the years to access user devices without permission is itself a security breach—and a disturbing one at that. At a minimum, users should inspect their devices and networks for signs of compromise and upgrade to v1.461. The truly paranoid should consider unplugging their devices until more details become available.
Listing image by KiwiSDR