For years, a backdoor in popular KiwiSDR product gave root to project developer
KiwiSDR is hardware that uses software-defined radio to monitor transmissions in a local area and broadcast them over the Internet. A largely amateur user base does all kinds of cool things with playing card sized devices. For example, a user in Manhattan could connect one to the Internet so that residents of Madrid, Spain, or Sydney, Australia, could listen to AM radio broadcasts, CB radio conversations, or even watch thunderstorms in Manhattan. .
On Wednesday, users learned that for years their devices had a backdoor that allowed the creator of KiwiSDR – and possibly others – to log into devices with system administration rights. The remote administrator could then make configuration changes and access data not only for the KiwiSDR, but in many cases for the Raspberry Pi, BeagleBone Black, or other computing devices to which the SDR hardware is connected.
A big problem of trust
Signs of the backdoor in the KiwiSDR date back to at least 2017. The backdoor was recently removed without any mention of the removal under unclear circumstances. But despite the deletion, users remain shaken as the devices run as root on any computing device they are logged into and can often access other devices on the same network.
“It’s a big problem of trust”, a user with the handle xssfox said. “I had no idea there was a backdoor, and it’s extremely disappointing to see the developer adding backdoors and actively using them without consent.”
Xssfox said it uses two KiwiSDR devices, one on a BeagleBone Black that uses a custom FPGA to run the Pride Radio Group, which allows people to listen to radio broadcasts in and around Gladstone, Australia. A public broadcasts page shows that around 600 other devices are also connected to the internet.
In my case, the KiwiSDRs are hosted on a remote site where other radio experiments are in progress. They could have accessed it. Other KiwiSDR users sometimes have them installed in remote locations using other person / company networks, or on their home network. It’s a bit like backdoors / exploits of security cameras, but on a smaller scale [and] just radio amateurs.
Software-defined radios use software, rather than the standard hardware found in traditional radio equipment, to process radio signals. The KiwiSDR connects to an on-board computer, which in turn shares local signals with a much larger base of people.
The backdoor is pretty straightforward. A few lines of code allow the developer to remotely access any device by entering its URL into a browser and adding a password at the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device but, by default, also to the underlying computing device on which it is running. here is a video of xssfox using his device’s backdoor and gaining root access to his BeagleBone.
Quick video showing how the backdoor on kiwifruit works.
I have also tested that touch /root/kiwi.config/opt.no_console alleviates the problem
– xssfox (@xssfox) July 15, 2021
Here is a higher resolution image:
“Looks like the SDR … plugs into a Linux BeagleBone Arm card,” HD Moore, security expert and CEO of the Rumble Network Discovery Platform, told me. “This shell is on this Linux card. Compromising it can get you into the user’s network.
The backdoor lives
Xssfox has stated that access to the underlying computing device – and possibly other devices on the same network – occurs as long as a setting called “console access” is enabled, as is the case with default. Disabling access requires modification of the administrative interface or a configuration file, which many users probably haven’t done. Additionally, many devices are updated rarely, if ever. So even if developer KiwiSDR removed the offending code, the backdoor will persist in devices, making them vulnerable to takeover.
Software submissions and technical papers like this name the developer of KiwiSDR as John Seamons. Seamons did not respond to an email requesting comment for this post.
Another troubling aspect of the backdoor is that, as Noted by user engineer Marc Jessop, it communicated over an HTTP connection, exposing the clear text password and data on the backdoor network to anyone who could monitor traffic entering or leaving the device.
However, since KiwiSDR is HTTP only, sending what is essentially a “master” password in the clear is a bit of a concern. KiwiSDR does not support HTTPS, and it has been stated that it will never support it. (Processing certificates on it would also be a PITA)
– Mark Jessop (@ vk5qi) July 14, 2021
KiwiSDR users who want to check if their devices have been viewed remotely can do so by running the command
zgrep -- "PWD admin" /var/log/messages*
There is no indication that anyone used the backdoor to do malicious things, but the very existence of this code and its apparent use over the years to gain access to users’ devices without authorization is in itself one. security breach, and moreover, worrying. At a minimum, users should inspect their devices and networks for signs of compromise and upgrade to v1.461. Those who are truly paranoid should consider unplugging their devices until more details are available.
Listing image by KiwiSDR