Press "Enter" to skip to content

For years, a backdoor in popular KiwiSDR product gave root to project developer


Enlarge / A spectrum painted image made using KiwiSDR.

KiwiSDR is hardware that uses a software-defined radio to monitor transmissions in a local area and stream them over the Internet. A largely hobbyist base of users do all kinds of cool things with the playing-card-sized devices. A user in, say, Manhattan can connect one to the Internet so that people in, say, Madrid, Spain, or Sydney, Australia, can listen to AM radio broadcasts, CB radio conversations, or even watch lightning storms in Manhattan.

On Wednesday, users learned that for years their devices had been equipped with a backdoor that allowed the KiwiSDR creator—and possibly others—to log in to their devices with administrative system rights. The remote admin could then make configuration changes and access data not just for the KiwiSDR, but in many cases to the Raspberry Pi, BeagleBone Black, or other computing device the SDR hardware is connected to.

A big trust problem

Signs of the backdoor in the KiwiSDR date back to at least 2017. The backdoor was recently removed under unclear circumstances. But despite the removal, users remain rattled, since the devices run as root on whatever computing device they’re connected to and can often access other devices on the same network.

“It’s a big trust problem,” a user with the handle xssfox told me. “I was completely unaware that there was a backdoor, and it’s hugely disappointing to see the developer adding backdoors in and actively using it without consent.”

Xssfox said she runs two KiwiSDR devices, one on a BeagleBone Black that uses a custom FPGA to run the Pride Radio Group, which lets people listen to radio transmissions in and around Gladstone, Australia.

Just came in:  Quake 1 gets its first major co-op content update in 25 years

Xssfox added:

In my case the KiwiSDRs are hosted on a remote site that has other radio experiments running. They could have gained access to those. Other KiwiSDR users sometimes have them set up in remote locations using other people’s/companies’ networks, or on their home network. It’s sort of like the security camera backdoors/exploits, but smaller scale [and] just amateur radio people.

Software-defined radios use software to process radio signals rather than the standard hardware found in traditional radio equipment. The KiwiSDR attaches to an embedded computer, which in turn shares local signals with a much wider base of people.

The backdoor is simple enough. A few lines of code allow the developer to remotely access any device by entering its URL in a browser and appending a password to the end of the address. From there, the person using the backdoor can make configuration changes not only to the radio device but by default, also to the underlying computing device it runs on. Here’s a video of xssfox using the backdoor on her device and getting root access to her BeagleBone.

Here’s an image with higher resolution:


“It looks like the SDR… plugs into a BeagleBone arm Linux board,” HD Moore, a security expert and CTO of network discovery platform Rumble, told me. “This shell is on that Linux board. Compromising it may get you into the user’s network.”

Just came in:  Google is making its first in-house smartwatch that could launch in 2022

The backdoor lives on

Xssfox said that access to the underlying computing device—and possibly other devices on the same network—happens as long as a setting called console access is turned on, as it is by default. Turning the access off requires making a change to either the admin interface or a configuration file, which many users are unlikely to have made. Additionally, many devices get updated rarely if ever. That means, even though the KiwiSDR developer has removed the offending code, the backdoor will live on in devices, making them vulnerable to takeover.

Software submissions and technical documents like this one name the developer of KiwiSDR as John Seamons. Seamons didn’t respond to an email seeking comment for this post.

The user forums were unavailable at the time this post was going live. Screenshots here and here, however, appear to show Seamons admitting to the backdoor as long ago as 2017.


Another troubling aspect to the backdoor is that, as noted by engineer user Mark Jessop, it communicated over an HTTP connection, exposing the plaintext password and data over the backdoored network to anyone who can monitor the traffic coming into or out of the device.

KiwiSDR users who want to check if their devices have been remotely accessed can do so by running the command

zgrep -- "PWD admin" /var/log/messages*

There’s no indication that anyone has used the backdoor to do malicious things, but the very existence of this code and its apparent use over the years to access user devices without permission is itself a security breach—and a disturbing one at that. At a minimum, users should inspect their devices and networks for signs of compromise and upgrade to v1.461. The truly paranoid should consider unplugging their devices until more details become available.

Just came in:  Amazon Alexa can now respond to running water and bleeping appliances

Listing image by KiwiSDR