There Is No Cat

We apologize for the inconvenience

Tuesday, March 1, 2022

KiwiSDR considered dangerous

I wrote an article for the NASWA Journal, published in the February 2022 issue in the Shortwave Center column, about why I turned off my KiwiSDRs. The KiwiSDR is a software defined receiver that has a web-based interface that you share as an act of altruism. They’re very handy, work very well, and they pose a danger to any network that they’re present on.

I wrote this article for an audience that has only basic understanding of the Internet, so if you know some of the things I explain, understand that much of the audience this was written for does not.

Why I Turned Off My KiwiSDRs (and why you may want to as well)

I have been using SDRs for more than a decade, so when the KiwiSDR came up on Kickstarter, I backed it. I’ve been a user since the beginning. I liked it so much I bought a second one a couple of years ago. And recently, I disconnected them, turned them off, and put them away. I think you may want to as well.

A few months ago, there was an online controversy with the radios when it came to light that the programmer had put a “back door” in the software that runs the KiwiSDR that allowed him to log in to any KiwiSDR on the Internet. I know that he did it in the interest of being able to provide service to his customers, but anyone with a rudimentary knowledge of security knows that back doors are a terrible idea and an invitation to hackers. The programmer closed the back door, but has suggested that he might re-open it at some point after things die down.

Compounding this horrible security faux-pas, the server software that allows the KiwiSDR to operate online runs as root. For those of you unfamiliar with what a root user on a UNIX-based computer is, basically, the root user is all powerful. It has maximum permissions. It can change anything on the computer. It can install any software. And running a server as root is frankly one of the most irresponsible things possible. The software that provides the web service on the KiwiSDR is called Mongoose. It is a library that a programmer can include in their program that allows their program to act as a web server. A quick perusal of the Github site for Mongoose (found at https://github.com/cesanta/mongoose ; Github is a site that hosts much of the open source software that programmers can incorporate into their own software) shows that it is not immune to security bugs. I found five bug reports from user cve-reporting; for those of you not conversant with computer security, CVE stands for Common Vulnerabilities and Exposures. It is a public database of security holes. Mongoose noted the issues that this user reported and fixed them quickly, so I don’t mean to suggest that the software has any open security issues. But that’s the problem; it may have open issues that haven’t been found and publicized yet. Or maybe projects that use it haven’t updated to the latest versions and still use old versions with security holes. This doesn’t happen because the programmers are bad, but it’s something to be aware of. And knowing that modern software development works like this is to realize that putting a KiwiSDR on the Internet with server software with potential unpublicized security holes running as the root user is a recipe for disaster.

So what could happen? A malicious visitor who found a security issue could send a request to the KiwiSDR that triggers that issue and winds up giving the visitor the ability to log in to the computer that hosts the KiwiSDR as root. Once they do that, your network is compromised. They can mount shared directories from your other computers and copy the files they find; financial, personal, whatever. They could set up a botnet client and use it to attack other computers. They could introduce a virus to the computers on your network, encrypt your disks and ask for ransom. Really, there’s no limit to the havoc they can wreak with root access to something you didn’t even think was a computer. I work as a professional web developer. If I ran a server on one of my client’s hosts as root, I would be drummed out of the business. You just don’t do this.

The creator of the KiwiSDR has (had?) a note on his site to say that he’s not interested in hearing about issues with running as root. I see this as a signal that he has no intention of fixing the issue. Given that, I have no intention of hosting this potentially dangerous server inside my network. You may wish to do the same.

Posted at 12:40 AM
Link to this entry || No comments (yet) || Trackbacks (0)

This site is copyright © 2002-2024, Ralph Brandi. (E-mail address removed due to virus proliferation.)

What do you mean there is no cat?

"You see, wire telegraph is a kind of a very, very long cat. You pull his tail in New York and his head is meowing in Los Angeles. Do you understand this? And radio operates exactly the same way: you send signals here, they receive them there. The only difference is that there is no cat."

- Albert Einstein, explaining radio


There used to be a cat

[ photo of Mischief, a black and white cat ]

Mischief, 1988 - December 20, 2003

[ photo of Sylvester, a black and white cat ]

Sylvester (the Dorito Fiend), who died at Thanksgiving, 2000.


Stylesheets


This site is powered by Missouri. Show me!

Valid XHTML 1.0!

Valid CSS!

XML RSS feed

Read Me via Atom

new host

Me!

Home Page
Resume
Married
Photographs
Flickr Photostream
Instagram Archive
Twitter Archive

last.fm

There Is No Cat is a photo Ralph Brandi joint.


Archives

Search



Family Blogs

Geneablogy
Jersey Girl Dance
Awakening
DullBlog
Mime Is Money

Blogs I Read

2020 Hindsight
AccordionGuy
Adactio
Allied
Apartment Therapy
Assorted Nonsense
Backup Brain
Burningbird
Chocolate and Vodka
Creative Tech Writer
Critical Distance
Daily Kos
Dan Misener likes the radio
Daring Fireball
Design Your Life
design*sponge
Doc Searls
Edith Frost
Elegant Hack
Emergency Weblog
Empty Bottle
Five Acres with a View
Flashes of Panic
Future of Radio
Groundhog Day
Hello Mary Lu
iheni
Inessential
Interllectual
Jeffrey Zeldman Presents
Jersey Beat
John Gushue ... Dot Dot Dot
john peel every day
JOHO The Blog
Kathryn Cramer
Kimberly Blessing
La Emisora de la Revolucion
Lacunae
Loobylu
mamamusings
Medley
mr. nice guy
MyDD
Orcinus
oz: the blog of glenda sims
Pinkie Style
Pinkie Style Photos
Pop Culture Junk Mail
Seaweed Chronicles
Shortwave Music
Slipstream
Talking Points Memo
The Unheard Word
Tom Sundstrom - trsc.com
Typographica
Unadorned
Vantan.org
WFMU's Beware of the Blog