Has any computer been hacked over amateur radio digital modes?

Question

We don't normally worry about security in ham radio, because we can't encrypt our transmissions anyway in the vast majority of cases. Some niche protocols support authentication of messages, but that's it, unless you're controlling satellites. There is nothing except regulations and etiquette stopping me from making contacts using any mode with someone else's call sign, and if I use a digital mode, there's no way for anyone except me and the person I'm impersonating to tell. It is certainly possible for me to eavesdrop on other people's conversations, and this is neither illegal nor unethical.

However, when we use digital modes, our computers are processing arbitrary data from an untrusted source. Since security isn't really a concern for most hams, it's unlikely that ham radio programs such as fldigi and WSJT-X are tested for responses to invalid data; it's quite possible that some ham programs have remote code execution vulnerabilities or similar bugs. There is nothing (again, except regulations and etiquette) stopping a hacker from making transmissions intended to exploit such bugs.

I found a few articles about people hacking their own computers over ham radio for experiments, but have there been any documented cases of a ham radio operators' (or shortwave listener's) computer being compromised over an amateur radio digital mode without the owner's permission?

We're only talking about non-embedded computers, not about say the computer logic of a digital relay tricked into forwarding packets that's it shouldn't? (Or, the digital logic inside every handset that implements squelch tones? The question I'm trying to raise here is twofold: what is the thing that you count as computer, and in an environment lacking even basic authentication, what is the minimal thing you consider a hack? Corollary I wonder why there's not even simple cryptographic signatures on APRS....) — Marcus Müller, Dec 25 '22 at 22:13
Just one note: you can use any coding, modulation, etc. in the ham bands as far as the method is public and the data can be decoded by anyone. But using a non-public key is different (and "public" keys have no use for authentication): if the sender signs a packet by its private key then it will contain bytes those cannot be "decoded" or reproduced. A CRC is different because it is reproducible. So, in theory, it might be illegal to add a signature to an APRS packet because any "wrong" packet that cannot be authenticated can contain anything as signature bytes, even nuclear launch codes... :-) — ha3flt, Dec 25 '22 at 23:09
"it's unlikely that ham radio programs such as fldigi and WSJT-X are tested for responses to invalid data" - I don't think so. If an input has a meaning because it changes something in the software that receives it (change states, e.g. changes letter cases, or used as a remote command) then it will normally be tested by any sane developer including buffer overrun as well. The question is the focus and the elaboration. I agree that SQL injection is not something we test a lot in ham software but otherwise there is nothing new or different in them. :-) At least it is my opinion. — ha3flt, Dec 25 '22 at 23:24
There's a CVE for a WinAPRS remote execution defect: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24702 — user3486184, Dec 26 '22 at 07:13
@ha3flt If adding a signature to a packet is illegal because it can't be confirmed that it's only a signature, then it's illegal to transmit anything. Randomly alternating between saying "CQ" three or four times would not be suspicious, but it can secretly convey one bit of information. If you call CQ once every five minutes for eight hours, which would not be suspicious,t you could send twelve bytes. I'm sure you could vary a lot more things (do you use phonetics? If so, NATO or "DX"? If not, and your callsign contains a Z, do you say "zee" or "zed"?) to get a much faster rate. — Someone, Dec 26 '22 at 07:19
Also, if a person using authentication codes was ever charged with making encrypted transmissions, they could prove that it was just a signature by revealing the secret key. At that point it's not a security issue, since the recipient should have already verified the message, and a new key can be chosen afterwards. — Someone, Dec 26 '22 at 07:39
It's apparently not actually illegal, at least in the US, to transmit messages that cannot be decided by others, as long as that isn't the goal: 47 CFR 97.113(a)(4) says "No amateur station shall transmit... messages encoded *for the purpose of obscuring their meaning*... (emphasis mine). If a code that has a legitimate use also happens to obscure the meaning of something, that appears to be legal. (That's likely why digital voice modes using AMBE are legal; the codec does obscure the meaning, but that isn't it's purpose.) (I'm not a lawyer and this is not legal advice.) — Someone, Dec 26 '22 at 07:46
A digital signature certainly is not intended to obscure the meaning of anything. Really, since all of the data is either meaningless (the keys, and any other data used in the process), or easily determined from the rest of the message (a hash of the message content), there is no meaning to obscure, making the issue moot. You can't obscure the meaning of meaningless numbers. (A court might not agree with this, so don't rely on it.) — Someone, Dec 26 '22 at 07:48
If I say "K1ABC, this is W9XYZ, 483594938583925," I haven't violated 97.113(a)(4). I did not encode anything to get those numbers; I just hit random keys on my keyboard. The reason that their meaning appears to be obscured is that they have no meaning to begin with. The purpose of encryption, or any method of obscuring the meaning of data, could be described as "turning meaningful data into pseudo-meaningless data that can only be made meaningful again by the intended recipient." Digital signatures do not do this. — Someone, Dec 26 '22 at 07:52
I don't see inconsistency here. Yes, anything can be an encoding method. Lets say if you transfer a certain information by sending two consequtive CQ's as a binary value 0 and, with some gap, three consequtive CQ's a binary value one, you should make this method public to allow anyone to decode and/or to reproduce what you've sent. NOTHING obscured can be in the ham bands in any form at all. Not easy to judge it, though, but e.g. always bad CRC's of APRS packets could theoretically be objects of an investigation even if we are not sooo paranoid (because its importancy is almost zero today). — ha3flt, Dec 26 '22 at 08:07
Btw. that's a good question what the "public" means (today). If it counts legal if something has been put on an official billboard of a municipality then a publicly searchable website anywhere in the world makes it as well... *** My last two notes were written _before_ the other anwers, I was just slow a bit. — ha3flt, Dec 26 '22 at 08:07
Lastly: my premise can be wrong concerning the legal consequencies, also I'm in a country with a significantly different past, but I'm pretty sure of the ethics, namely to be fully transparent (meaning decoding and reproducing) for anybody in the ham bands. It may include that sending random characters on purpose is unethical/illegal... I don't think that any kind of cryptography is applicable and appropriate here, that's my opinion what I wanted to say, and it is not _that_ strict. :-) — ha3flt, Dec 26 '22 at 08:24
@ha3flt you're misinterpreting the legal ban on encrypted communications: you're not hiding any information there. What gets encrypted with the private key is a hash of the message – which can be both reproduced from the message, and decrypted with the public key, by the receiver. So, signatures are not encrypted comms. I think there was a couple of US court cases actually surrounding that, back from the day of the crypto wars. — Marcus Müller, Dec 26 '22 at 12:33
@ha3flt if digital signatures are illegal because you could be hiding data in the signature, then calling CQ is also illegal because you could be hiding data in the CQs. — Someone, Dec 26 '22 at 17:01
"NOTHING obscured can be in the ham bands in any form at all." At least in the US, this is not true. The encoding must be done for the purpose of obscuring the meaning. — Someone, Dec 26 '22 at 17:05
I'm more concerned about the ethics envisioned by me rather than the legality that seems less restrictive. I just forgot something, and here the dog is buried: "which can be both reproduced from the message, and decrypted with the public key" This could really be disturbing but I forgot somehow, even if it is one of the basic funcionality of the asymmetric method, that I don't need the private key, because anybody having (downloaded) the public key part is able to check the validity of the signature of messages, and it should be enough to make sure we know the purpose of those data bytes... — ha3flt, Dec 26 '22 at 23:16

user3486184 · Answer 1 · 2022-12-29T19:35:34.043

I know of at least one app that has been hacked based on data received over the air. Because it was done by an ethical pen tester it didn't adversely affect an unsuspecting party, but nonetheless WinAPRS has had three CVEs opened against it:

The last one (24702) is the most concerning, as it "allows a remote attacker to achieve remote code execution via malicious AX.25 packets over the air." The original developer of WinAPRS no longer has a build environment for the application, so this vulnerability is likely to remain for all WinAPRS users.

Rick Osgood did the original research and filed the vulnerability; his efforts are documented at Hacking Ham Radio: WinAPRS.

score 4 · Answer 2 · answered Dec 26 '22 at 13:59

There are two aspects to communications security here; security issues surrounding invalid data causing issues, and valid data including a command that is itself an inherent security issue.

Addressing the first issue, most ham protocols are sufficiently simple that invalid data causing a security issue is unlikely. Others, like WSJT-X are actually extremely complicated and most of the design of the protocol is all about detecting and correcting invalid data. To assume that something like WSJT-X is not tested is extremely wrong -- because when you're receiving data from a radio, especially weak signal HF data, the likelyhood of receiving corrupted data is extremely high. All radio data protocols need to be robust in handling corrupted data because amateur radio is all about dealing with noise mixed in with your signal.

One of the common ways to test for this type of security vulnerability is to send random data to the program and see if it crashes. With amateur radio, this happens (literally) naturally. I'm not saying that there are no buggy amateur radio programs. What I'm saying is that they will crash from natural noise and it will likely be noticed long before anyone tries to hack them with invalid data, and that these programs do need to be tested for that or they are not going to function well in a real environment. (Of course, cleverly invalid data rather than just randomly invalid data could still be a big issue.)

As to the second point, if the signal carries valid control data for a control command, this is not a radio issue but an issue with the security of the control system. I think a lot of telemetry control protocols rely on it being highly illegal to send unauthorized communications with huge penalties, and don't think a lot about that type of security. Having said that, FCC part 97 specifically authorizes encryption ("that obscures meaning") for only one purpose -- satellite control.

And, as already covered in the comments, I believe cryptographicly signing a control packet can be designed so that it does not obscure meaning and thus is not illegal. But I believe the use of cryptographic signatures did not exist when the FCC regulations concerning encryption were written, and the regulations have not been updated with this language -- and possibly don't need to be.

Aleksander Alekseev - R2AUK · Answer 3 · 2022-12-26T13:46:45.323

That's an excellent question! It's true that software has bugs and in theory one can hack an SDR transceiver and/or PC over ham radio bands. This is also true for regular (non-amateur) SDR receivers, and not necessarily only SDR.

This being said a modern security world is quite commercialized. People having expertise necessary to implement such an exploit are smart and their services are not cheap. They are also smart enough to make good money without breaking a law.

So unless Yaesu / Kenwood / ICOM will open a bug bounty program I don't think we will see such attacks in any foreseeable future. To my knowledge such attacks were not reported as of today.

People do hack other wireless devices though, like Wi-Fi routers, IoT devices (webcams, robot vacuums, even sex toys). These are cheap and often have literally no security. So even if a manufacturer doesn't have a bug bounty program such devices are a good target to boost the resume of a newcomer to the security world, or just to spent time with fun.

Has any computer been hacked over amateur radio digital modes?

3 Answers3