KiwiSDR considered dangerous
I wrote an article for the NASWA Journal, published in the February 2022 issue in the Shortwave Center column, about why I turned off my KiwiSDRs. The KiwiSDR is a software defined receiver that has a web-based interface that you share as an act of altruism. They’re very handy, work very well, and they pose a danger to any network that they’re present on.
I wrote this article for an audience that has only basic understanding of the Internet, so if you know some of the things I explain, understand that much of the audience this was written for does not.
Why I Turned Off My KiwiSDRs (and why you may want to as well)
I have been using SDRs for more than a decade, so when the KiwiSDR came up on Kickstarter, I backed it. I’ve been a user since the beginning. I liked it so much I bought a second one a couple of years ago. And recently, I disconnected them, turned them off, and put them away. I think you may want to as well.
A few months ago, there was an online controversy with the radios when it came to light that the programmer had put a “back door” in the software that runs the KiwiSDR that allowed him to log in to any KiwiSDR on the Internet. I know that he did it in the interest of being able to provide service to his customers, but anyone with a rudimentary knowledge of security knows that back doors are a terrible idea and an invitation to hackers. The programmer closed the back door, but has suggested that he might re-open it at some point after things die down.
Compounding this horrible security faux-pas, the server software that allows the KiwiSDR to operate online runs as root. For those of you unfamiliar with what a root user on a UNIX-based computer is, basically, the root user is all powerful. It has maximum permissions. It can change anything on the computer. It can install any software. And running a server as root is frankly one of the most irresponsible things possible. The software that provides the web service on the KiwiSDR is called Mongoose. It is a library that a programmer can include in their program that allows their program to act as a web server. A quick perusal of the Github site for Mongoose (found at https://github.com/cesanta/mongoose ; Github is a site that hosts much of the open source software that programmers can incorporate into their own software) shows that it is not immune to security bugs. I found five bug reports from user cve-reporting; for those of you not conversant with computer security, CVE stands for Common Vulnerabilities and Exposures. It is a public database of security holes. Mongoose noted the issues that this user reported and fixed them quickly, so I don’t mean to suggest that the software has any open security issues. But that’s the problem; it may have open issues that haven’t been found and publicized yet. Or maybe projects that use it haven’t updated to the latest versions and still use old versions with security holes. This doesn’t happen because the programmers are bad, but it’s something to be aware of. And knowing that modern software development works like this is to realize that putting a KiwiSDR on the Internet with server software with potential unpublicized security holes running as the root user is a recipe for disaster.
So what could happen? A malicious visitor who found a security issue could send a request to the KiwiSDR that triggers that issue and winds up giving the visitor the ability to log in to the computer that hosts the KiwiSDR as root. Once they do that, your network is compromised. They can mount shared directories from your other computers and copy the files they find; financial, personal, whatever. They could set up a botnet client and use it to attack other computers. They could introduce a virus to the computers on your network, encrypt your disks and ask for ransom. Really, there’s no limit to the havoc they can wreak with root access to something you didn’t even think was a computer. I work as a professional web developer. If I ran a server on one of my client’s hosts as root, I would be drummed out of the business. You just don’t do this.
The creator of the KiwiSDR has (had?) a note on his site to say that he’s not interested in hearing about issues with running as root. I see this as a signal that he has no intention of fixing the issue. Given that, I have no intention of hosting this potentially dangerous server inside my network. You may wish to do the same.
Posted at 12:40 AM