He meant no harm

2024-11-15 · 4min

I love HAM radio. I'm a licensed operator and whenever someone asks for a wideband SDR receiver, inevitably KiwiSDR comes up. It is arguably one of the most cost effective commercial solutions if you want to monitor anything between 10kHz and 30MHz. Of course it can't compete with "big boy" solutions from companies like Rohde & Schwarz or Aaronia, but for the price it's an amazing little device.

There is just one problem: The developer of KiwiSDR had secretly put in a backdoor. Not once, but twice. When the first backdoor was discovered, he claimed that this was just an accident. The user who discovered it even asked if there were any other backdoors. Well, there were, as was discovered years later by XSSFox.

It is no secret that the average age of HAM radio operators is beyond the 40s and 50s. Many license holders are retired, and if they have a software development background, it's typically at the level of what was current in the eighties and nineties. That is why most HAM radio software, while functional, not exactly using the latest technologies and security practices. I mean, just look at JTDX here and tell me that this is isn't UI design from decades ago:

A screenshot of JTDX

There are several reports of the author of KiwiSDR helping users remotely, ostensibly using that backdoor. While remote support is great, I would not want a construction company to build a house for me, and then secretly keeping a key for themselves so they can come in at any time to fix something. What any sane person does is make an appointment, and when they knock on your door you open it. But while there are definitely critical voices and even Ars Technica was bewildered, the fact is there are a lot of users who now say that they are cool with such a backdoor - even though it has been removed with the commit comment "bug fixes". Some users say they always knew about the backdoor.

I doubt that most users were aware of this. Rather, I am convinced that they simply never cared. Most users never needed hands-on support by the author, and those who did probably didn't give it another thought why that person was able to just fix the issue without them giving him access. The problem is that whether you think such a backdoor is a problem or not is of no consequence, just like you may choose to believe wearing seatbelts is unneccessary. Reality doesn't ask if you're cool with being hit with the consequences. A backdoor is a security risk.

I can not and will not claim that the author of KiwiSDR had malicious intent. I have no way to determine if he did, just as we only have his word for him having had the best intentions in mind. However, I can report on how he handled the situation: He was asked to issue a CVE, which he said he would, but never did. He locked the forums because of "spam" from outraged users. He refused to elaborate when asked by the RTL-SDR blog, citing Legal advice. How convenient.

What I will say is this: You probably should not put devices on your network that contain software written by a guy who believes it's perfectly okay to hardcode his key in, just in case he needs to SSH into your box as root later.

In completely unrelated news, the new KiwiSDR 2 is now on sale. I could tell you what I think of this, but unfortunately I cannot comment publicly on this topic due to legal advice.