Backdoor in KiwiSDR


Carol KP4MD
 

"On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi, BeagleBone Black, or other computing devices the SDR hardware is connected to." 

The full story is at https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/


Glenn Elmore
 


 

That John has had root access to KiwiSDRs has not been a secret for many years. To even a casual reader of the forum this has been obvious. Personally I have been aware of this and felt John was trustworthy and him having root access to a host on my private network and being able to help with troubleshooting had acceptable risk/benefit ratio.  

What seems new is simply the high level publicity of this fact. Perhaps I'm being naive but the only new risk I see here is that the announcement may trigger increased hacking attempts.  Hopefully the changes in v .461 have/will mitigate these risks.  

Does anyone know of an instance where this 'vulnerability' has been exploited? Am I being silly with this perspective?

Glenn n6gn


On 2021-07-16 13:55, Carol KP4MD wrote:

"On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi, BeagleBone Black, or other computing devices the SDR hardware is connected to." 

The full story is at https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/


Stu C
 

As I understand it the access was permitted from only one IP address so unless the miscreant managed to get hold of that base then launch attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many times without a moments hesitation. One thing a generation focussed on "correct" pronouns forgets is the morals and ethics of the older generation bare little resemblance to (many) of those today. People who lived most of their lives before the internet would generally not have stolen music or avoided paying for goods (like software).

I had a Chinese NVR that I had somehow forgotten the password to, support did not have a way for me to personally reset it at the hardware but if I just gave it internet access they would do it for me in minute... yeah no thanks. Half the complication of my home network subnets, NAT and firewall is aimed at using off the shelf CCTV bits without inviting a complete take over of my home network or being base for further attacks. It is probably illegal to export an item from country X without enabling a gov backdoor.

The fact that so many KiwiSDR's are still online makes me think that most users understand this event and have decided the intention was good if the inclusion does not suit today's world.

Has made me view the reporting of these events slightly differently, drama sells, click bait etc.

Stu

On 17/07/2021 06:10, Glenn Elmore wrote:


That John has had root access to KiwiSDRs has not been a secret for many years. To even a casual reader of the forum this has been obvious. Personally I have been aware of this and felt John was trustworthy and him having root access to a host on my private network and being able to help with troubleshooting had acceptable risk/benefit ratio.

What seems new is simply the high level publicity of this fact. Perhaps I'm being naive but the only new risk I see here is that the announcement may trigger increased hacking attempts. Hopefully the changes in v .461 have/will mitigate these risks.

Does anyone know of an instance where this 'vulnerability' has been exploited? Am I being silly with this perspective?

Glenn n6gn


On 2021-07-16 13:55, Carol KP4MD wrote:

"On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone Black, or other computing devices the SDR hardware is connected to."

The full story is at https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/ <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>


Rob Robinett
 

I share Glenn and Stu's perspective on this issue.
Over the years John has demonstrated that he deserves our trust and appreciation for all of his work.
Hopefully all of this negative publicity doesn't drive him away from further work on the Kiwi.

On Fri, Jul 16, 2021 at 10:41 PM Stu C <stu@...> wrote:
As I understand it the access was permitted from only one IP address so
unless the miscreant managed to get hold of that base then launch
attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many
times without a moments hesitation. One thing a generation focussed on
"correct" pronouns forgets is the morals and ethics of the older
generation bare little resemblance to (many) of those today. People who
lived most of their lives before the internet would generally not have
stolen music or avoided paying for goods (like software).

I had a Chinese NVR that I had somehow forgotten the password to,
support did not have a way for me to personally reset it at the hardware
but if I just gave it internet access they would do it for me in
minute... yeah no thanks. Half the complication of my home network
subnets, NAT and firewall is aimed at using off the shelf CCTV bits
without inviting a complete take over of my home network or being base
for further attacks. It is probably illegal to export an item from
country X without enabling a gov backdoor.

The fact that so many KiwiSDR's are still online makes me think that
most users understand this event and have decided the intention was good
if the inclusion does not suit today's world.

Has made me view the reporting of these events slightly differently,
drama sells, click bait etc.

Stu



On 17/07/2021 06:10, Glenn Elmore wrote:
>
>
> That John has had root access to KiwiSDRs has not been a secret for
> many years. To even a casual reader of the forum this has been
> obvious. Personally I have been aware of this and felt John was
> trustworthy and him having root access to a host on my private network
> and being able to help with troubleshooting had acceptable
> risk/benefit ratio.
>
> What seems new is simply the high level publicity of this fact.
> Perhaps I'm being naive but the only new risk I see here is that the
> announcement may trigger increased hacking attempts. Hopefully the
> changes in v .461 have/will mitigate these risks.
>
> Does anyone know of an instance where this 'vulnerability' has been
> exploited? Am I being silly with this perspective?
>
> Glenn n6gn
>
>
> On 2021-07-16 13:55, Carol KP4MD wrote:
>
>> "On Wednesday, users learned that for years, their devices had been
>> equipped with a backdoor that allowed the KiwiSDR creator—and
>> possibly others—to log in to the devices with administrative system
>> rights. The remote admin could then make configuration changes and
>> access data not just for the KiwiSDR but in many cases to the
>> Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone
>> Black, or other computing devices the SDR hardware is connected to."
>>
>> The full story is at
>> https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>> <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
>
>









--
Rob Robinett
AI6VN
mobile: +1 650 218 8896


Jim Lill
 

I agree and let's hope that John will continue to help us even if it means one on one access.  My recent ALE experiment was only possible becaus eJohn had that access to one of my Kiwi's for example

On 7/17/21 10:03 AM, Rob Robinett wrote:
I share Glenn and Stu's perspective on this issue.
Over the years John has demonstrated that he deserves our trust and appreciation for all of his work.
Hopefully all of this negative publicity doesn't drive him away from further work on the Kiwi.

On Fri, Jul 16, 2021 at 10:41 PM Stu C <stu@...> wrote:
As I understand it the access was permitted from only one IP address so
unless the miscreant managed to get hold of that base then launch
attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many
times without a moments hesitation. One thing a generation focussed on
"correct" pronouns forgets is the morals and ethics of the older
generation bare little resemblance to (many) of those today. People who
lived most of their lives before the internet would generally not have
stolen music or avoided paying for goods (like software).

I had a Chinese NVR that I had somehow forgotten the password to,
support did not have a way for me to personally reset it at the hardware
but if I just gave it internet access they would do it for me in
minute... yeah no thanks. Half the complication of my home network
subnets, NAT and firewall is aimed at using off the shelf CCTV bits
without inviting a complete take over of my home network or being base
for further attacks. It is probably illegal to export an item from
country X without enabling a gov backdoor.

The fact that so many KiwiSDR's are still online makes me think that
most users understand this event and have decided the intention was good
if the inclusion does not suit today's world.

Has made me view the reporting of these events slightly differently,
drama sells, click bait etc.

Stu



On 17/07/2021 06:10, Glenn Elmore wrote:
>
>
> That John has had root access to KiwiSDRs has not been a secret for
> many years. To even a casual reader of the forum this has been
> obvious. Personally I have been aware of this and felt John was
> trustworthy and him having root access to a host on my private network
> and being able to help with troubleshooting had acceptable
> risk/benefit ratio.
>
> What seems new is simply the high level publicity of this fact.
> Perhaps I'm being naive but the only new risk I see here is that the
> announcement may trigger increased hacking attempts. Hopefully the
> changes in v .461 have/will mitigate these risks.
>
> Does anyone know of an instance where this 'vulnerability' has been
> exploited? Am I being silly with this perspective?
>
> Glenn n6gn
>
>
> On 2021-07-16 13:55, Carol KP4MD wrote:
>
>> "On Wednesday, users learned that for years, their devices had been
>> equipped with a backdoor that allowed the KiwiSDR creator—and
>> possibly others—to log in to the devices with administrative system
>> rights. The remote admin could then make configuration changes and
>> access data not just for the KiwiSDR but in many cases to the
>> Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone
>> Black, or other computing devices the SDR hardware is connected to."
>>
>> The full story is at
>> https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>> <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
>
>









--
Rob Robinett
AI6VN
mobile: +1 650 218 8896


Carol KP4MD
 

I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies.  The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.


kk6pr
 

" . . .Chinese IPs logged onto my KiwiSDR to monitor US military frequencies . . . The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling."

I'm more concerned about American fascists' access and use of my Kiwis.  My IP Blacklist is full of them - I don't care what frequencies they want to listen to.


On Sat, Jul 17, 2021 at 12:58 PM Carol KP4MD <kp4md@...> wrote:
I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies.  The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.


KD2OM
 

Mine aren’t publicly listed but are available. I rarely see anyone else on it and I checked for incursion and found none. Plus I already had external admin console access closed. 
That said I did the update.

Steve KD2OM

.
 

On Jul 17, 2021, at 18:09, kk6pr <pointreyes@...> wrote:


" . . .Chinese IPs logged onto my KiwiSDR to monitor US military frequencies . . . The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling."

I'm more concerned about American fascists' access and use of my Kiwis.  My IP Blacklist is full of them - I don't care what frequencies they want to listen to.

On Sat, Jul 17, 2021 at 12:58 PM Carol KP4MD <kp4md@...> wrote:
I have no problem with John Seamons having access, but I was spooked and removed my KiwiSDR from the public Kiwi directory and DDNS service once I detected Chinese IPs pinging my router with port scanning attacks and several Chinese IPs logged onto my KiwiSDR to monitor US military frequencies.  The thought of the Chinese Communist Party adding and exploiting another backdoor entrance into my KiwiSDR is unsettling.