Tag Archives: KiwiSDR

KiwiSDR: Root access through project developer’s backdoor

Many thanks to SWLing Post contributor, Franco (K4VZ) , who writes:

Just a quick note to let you and the SWLing post readers know about the news of a backdoor in the KiwiSDR software that for years “gave root to project developer”.

https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/

For years, a backdoor in popular KiwiSDR product gave root to project developer

Users are rattled after learning their devices and networks were exposed.

KiwiSDR is hardware that uses a software-defined radio to monitor transmissions in a local area and stream them over the Internet. A largely hobbyist base of users does all kinds of cool things with the playing-card-sized devices. For instance, a user in Manhattan could connect one to the Internet so that people in Madrid, Spain, or Sydney, Australia, could listen to AM radio broadcasts, CB radio conversations, or even watch lightning storms in Manhattan.

On Wednesday, users learned that for years, their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to the devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR but in many cases to the Raspberry Pi, BeagleBone Black, or other computing devices the SDR hardware is connected to.

A big trust problem

Signs of the backdoor in the KiwiSDR date back to at least 2017. The backdoor was recently removed with no mention of the removal under unclear circumstances. But despite the removal, users remain rattled since the devices run as root on whatever computing device they’re connected to and can often access other devices on the same network.

“It’s a big trust problem,” a user with the handle xssfox told me. “I was completely unaware that there was a backdoor, and it’s hugely disappointing to see the developer adding backdoors in and actively using them without consent.” [Click here to continue reading the full article…]

Thank you for sharing this, Franco (and many other readers who’ve recently shared this article.

I’ve always been a big fan of the KiwiSDR network and the receiver so, of course, this is disappointing news. It sounds as if there’s no evidence the developer did anything nefarious through this root access backdoor, but they were also well aware it existed. That is, without question, a huge security issue.

The KiwiSDR developer comments here on the SWLing Post so my hope is that, perhaps, they can shed some light on this story in our comments section.

Spread the radio love

Should web-based SDR loggings be included and shared in regular logging columns?

Operating a KiwiSDR in Iceland from my vacation spot in Québec (circa 2018).

Many thanks to SWLing Post contributor, Richard Cuff, who writes:

Radyo Pilipinas is one of those English language stations that are not very likely to make to my Pennsylvania location, even under excellent conditions, simply because propagation of their frequencies wouldn’t reach eastern North America when they’re on the air.

Web tunable SDRs change all that…I caught them today from 0315 to their 0330 signoff on 15640 and 17620, in English, with a chatty travelogue program.

I was listening via an Indonesian Kiwi SDR located in Jakarta.

I’m left wondering — is there interest in reporting logs like this? We wouldn’t normally include them in the regular Loggings column in the NASWA Journal, because I’m not tuning my radio, I’m in front of a computer screen tuning half a world away.

FWIW, Radyo PIlipinas broadcasts in English daily from 0200 to 0330 on 15640, 17700 (announced but not heard) and 17620 kHz.

73 – Richard Cuff / Allentown, PA (virtually in Jakarta, Indonesia…)

Wow–what a great question, Rich.

I suspect some DXers have very strong feelings about WebSDR loggings, both for and against.

In terms of loggings columns with various radio clubs and organizations, I suppose it’s up to the governing body to decide. As you say, I suspect it will come down to whether or not remote radio operation counts. With a KiwiSDR, for example, you’re controlling a remote receiver–one that is physically located in a known geographic spot–and the audio is being piped over the Internet. I know it wouldn’t be in the spirit of the thing if you submitted logs implying you’d logged Radyo Pilipinas from your home receiver and antenna. If, however, you disclose that you were using a remote RX station in Jakarta, the logging would be accurate. Whether or not it’s allowed is a separate issue.

Anyone care to share their constructive comments? What do you think about WebSDR loggings? Please comment.

Spread the radio love

CATSync: Control web SDR tuning from your rig

Many thanks to SWLing Post contributor, Rob (PE9PE), who writes:

This is an interesting tool for those hams suffering from lots of local QRM.

https://catsyncsdr.wordpress.com/

Thanks, Rob! CATSync seems to allow control of a web-based SDR from any OMNI Rig-supported radio via CAT control (which is the majority of transceivers). It appears CATSync allows control of tuning and mode changes via your radio and from the web SDR interface back to your rig.

One interesting use of this would be to use a remote SDR for receiving while using your home antenna for transmitting. This could help those inundated with RFI at home. While this might not be an allowed practice for contesting (having your receiver and transmitter in two different locations) it’s certainly permitted if you want to check in with a net or chat with friends. You don’t need CATSync to do this–you can always manually tune a web SDR separately–it would simply facilitate keeping both your RX and TX on the same frequency.

CATSync has a free trial with limited control–you can purchase the full version for 9.95 EUR.

Click here to check out CATSync.

Thanks for the tip, Rob!

Spread the radio love

KiwiSDR.com’s simple urls for popular KiwiSDR portals

Many thanks to the crew at KiwiSDR.com who have made simple subdomain style forwarding links to open and explore popular KiwiSDR portals:

Thank you–this makes it so much easier to remember KiwiSDR portal addresses!

Spread the radio love

KiwiSDRs are back on Amazon

The KiwiSDR (Photo by Mark Fahey)

Many thanks to SWLing Post contributor, Mike, who writes:

Hi Thomas, I just noticed that Amazon has an inventory of KiwiSDRs for sale. I’m planning to snag one even though I don’t plan to put it online (because my IPDSL connection is just too slow). I’ve always wanted one and let’s just say I’ll be ready to join the community if I ever get a bandwidth upgrade! Price on Amazon is $299 for the full kit.

Thanks for the tip, Mike! You and I are in similar situations–my KiwiSDR (a gift from Mark Fahey–thanks!) would be online right now if I had the bandwidth and enough monthly data to support it. Like you, when I get an Internet pipeline upgrade, one of the first things I’ll do is put my KiwiSDR online!

Click here to view on Amazon (this affiliate link supports the SWLing Post at no cost to you)

Spread the radio love

The SDR.hu web SDR portal is no more, but we have several excellent alternatives

In January, András Retzler–owner of the SDR.hu KiwiSDR portal–started requiring registration and a ham radio license in order to access their extensive online database of SDRs.

Today, we learned of the site’s closure.  Here’s the message posted at SDR.hu:

The SDR.hu project has been finished

I’d like to say a big thanks to everyone who joined my journey with this project!

I hope you had a good time listening on the site, and learnt some things about SDR. The purpose of this site was to provide a technological demonstration for amateur radio operators about Software Defined Radio, and I hope this goal has been reached. As this website was a one-person hobby project, with my tasks and responsibilities growing, and my focus moving to other projects at which I hope to make a greater positive impact, I’m unable to further develop SDR.hu and protect it from abuse.

Furthermore, I think this site has some good alternatives now. Nevertheless, in my opinion amateur radio receivers should be shared with strict access control in the future.

If you have more questions, feel free to consult the FAQ.

73!

Andras, HA7ILM

SWLing Post contributor, Mark Fahey, shared the following message sent by Andras to all KiwiSDR owners in the database this morning:

Hello,

You are receiving this e-mail because you were listing a receiver on SDR.hu in the last 3 months.

I wanted to let you know that the SDR.hu project is discontinued.
This is because I have to focus on my PhD and unfortunately I don’t have enough time anymore to maintain the website and protect it from abuse.
If you have questions, there’s a FAQ on the front page: https://sdr.hu/
For KiwiSDR users there is another listing service available on the KiwiSDR website: http://kiwisdr.com/public (I’m not involved with this one.)
Thank you very much for having participated in the project!

VY 73!

Andras, HA7ILM

Alternative KiwiSDR Portals

Fortunately, there are a number of other KiwiSDR portals that do not require registration or a call sign. Here’s a list:

If you prefer another KiwiSDR portal, please comment with a link.  I’ll try to update this post with any new additions!

Spread the radio love