Re: Backdoor in KiwiSDR


Stu C
 

As I understand it the access was permitted from only one IP address so unless the miscreant managed to get hold of that base then launch attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many times without a moments hesitation. One thing a generation focussed on "correct" pronouns forgets is the morals and ethics of the older generation bare little resemblance to (many) of those today. People who lived most of their lives before the internet would generally not have stolen music or avoided paying for goods (like software).

I had a Chinese NVR that I had somehow forgotten the password to, support did not have a way for me to personally reset it at the hardware but if I just gave it internet access they would do it for me in minute... yeah no thanks. Half the complication of my home network subnets, NAT and firewall is aimed at using off the shelf CCTV bits without inviting a complete take over of my home network or being base for further attacks. It is probably illegal to export an item from country X without enabling a gov backdoor.

The fact that so many KiwiSDR's are still online makes me think that most users understand this event and have decided the intention was good if the inclusion does not suit today's world.

Has made me view the reporting of these events slightly differently, drama sells, click bait etc.

Stu

On 17/07/2021 06:10, Glenn Elmore wrote:


That John has had root access to KiwiSDRs has not been a secret for many years. To even a casual reader of the forum this has been obvious. Personally I have been aware of this and felt John was trustworthy and him having root access to a host on my private network and being able to help with troubleshooting had acceptable risk/benefit ratio.

What seems new is simply the high level publicity of this fact. Perhaps I'm being naive but the only new risk I see here is that the announcement may trigger increased hacking attempts. Hopefully the changes in v .461 have/will mitigate these risks.

Does anyone know of an instance where this 'vulnerability' has been exploited? Am I being silly with this perspective?

Glenn n6gn


On 2021-07-16 13:55, Carol KP4MD wrote:

"On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone Black, or other computing devices the SDR hardware is connected to."

The full story is at https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/ <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>

Join wsprdaemon@groups.io to automatically receive all group messages.