Security in Amateur Radio
Amateur Radio has a security problem⌗
As someone who works in information security, I do threat modeling every day, I can’t help but notice that the state of security in amateur radio, both radio systems and internet-based systems used by amateur operators is a total disaster. Some of this is the result of the law–it is not permissable to obscure the meaning of a digital transmission–and some of it is of a more practical nature. Hams have traditionally assisted in emergency communications and disaster relief where minimal equipment may be available so a less secure system is still accessible without the aid of a computer.
Here are some examples of how authentication is handled on a variety of systems.
- Many repeaters can be remotely managed by a series of DTMF tones.
- Packet TNCs can be managed by entering the sysop command and a subset of a preconfigured password. For example, on a Kantronics KAM XL, the process looks like this: “Upon receiving the SYSOP command from a remote user, the PBBS will return three lines of five numbers each. These numbers indicate the character positions in the RTEXT command.”
- Winlink will prompt a user connecting with a terminal or via APRSLink for three specific characters in your password, and any 3 other characters in the password from any position.
- AREDN nodes use a standard username and password over an unencrypted HTTP connection.
The first example, the repeater, is vulnerable to a simple replay attack. Imagine a jammer is causing interference with a repeater. The control operator uses her HT to shut the repeater down. The jammer, expecting this, records the DTMF tones and now has access to disable the repeater at will until the codes are changed.
The KAM-XL is slightly more difficult to compromise, but if a sysop uses manages the TNC remotely on a regular basis, it would be trivial for an attacker to monitor and log packet traffic and, after some time, discovering the full content of the RTEXT command and would be able to use the sysadmin command to manipulate the TNC at will.
The Winlink example is actually worse. In order for this authentication system to work, passwords must be stored in plain text on the Winlink System’s servers. It is easily provable that they are stored this way, as a forgotten password request from the Winlink system results in your existing Winlink password being sent to the account recovery email. This is against every best practice. An attack could be carried out against users of APRSLink without even needing a radio. The attacker could monitor the online APRS-IS system for any messages sent to and from the SSID WLNK-1. The login messages sent to that SSID will include 6 characters of a user’s password, 3 of which the attacker knows the position of. Any kid who has played the board game “Clue” will know what to do here. Since password re-use is rampant on the internet, there’s a good bet that this password will work against other accounts owned by a potential victim.
Finally, the AREDN login and password is trivial to capture with a simple packet capture.
So what can we do about it?⌗
The first three scenarios can be fixed using existing off-the-shelf time-based one-time-password (TOTP) technology. TOTP codes are typically used as a second factor in MFA systems, but they would be a much more secure alternative to static passwords or partial passwords. Emergency situations where an authenticator is missing or lost (phone drowned in a flood for example) could be handled by static recovery codes, just like in MFA implementations. A list of 10-20 recovery codes could be taped to the back of an HT battery and be available for repeater control or APRSLink authentication in an emergency. 6 digits is not a very strong password, but due to the open nature of amateur radio, a brute force attack would be heard by any nearby hams using the system and a foxhunt would ensue.
Winlink clients could even authenticate this way by doing the TOTP calculation internally and passing the 6-digit TOTP for authentication. The Winlink system would no longer need to store plain-text passwords in a database where a compromise could put users at risk. One thought I had, but haven’t developed a proof of concept for yet, is to derive the SHA-1 hash used as the shared secret for TOTP generation from a user password, with the user’s callsign as a salt, rather than using a truly randomly generated shared secret. This would allow for the offline setup of future Winlink clients. This is obviously not as secure as a randomly generated secret but, again, it’s still vastly superior to 6 pain text characters from a static password.
The final example, an AREDN node, is not easily fixable. If a one-time password was used for authentication, there would still be a session cookie sent in every http request. That session cookie could be captured and replayed to gain administrative access. It’s as good as a password until it expires. With current regulation, the only secure option is an out-of-band solution using Part 15 equipment (potentially expensive and possibly impractical,) or an update to FCC part 97. With this in mind, I would propose an update to part 97.
Currently § 97.207(b) regarding space stations reads: “Space telemetry transmissions may consist of specially coded messages intended to facilitate communications or related to the function of the spacecraft.” A similar section should be added to the regulation of Repeater Stations, Amateur Stations under Telecommand, Message Forwarding Systems, and Automatically Controlled Digital Stations to read “Transmissions may consist of specially coded messages intended to facilitate communications or related to the function of the station.” This simple change would permit the safe and secure remote management of stations without violating the open spirit of amateur radio.
Mentioned on Zero Retries!⌗
This article was mentioned on Zero Retries 143. Zero Retries is a wonderful weekly newsletter by Steve Stroh, N8GNJ, promoting technical innovation in Amateur Radio, with a focus on the future rather than the past. I’ve been remis in not mentioning it sooner.