[rickostuff]

I spent a lot of time last year researching packet radio software for vulnerabilities. I found a remote code execution (RCE) vulnerability in WinAPRS that let me hack into a system over the air. The result is a reverse shell obtained over ham radio where the victim machine doesn't have to be connected to Ethernet at all, as long as they are running a WinAPRS station. Is it practical? Not really. But it was fun and I learned a lot. I always wondered if I could get RCE via ham radio through memory corruption and it feels good to have proved to myself that I can do it.

[kloch]

Another place to look is DSD/mbelib, although to exploit you would have to transmit on a frequency they were monitoring and any replies/confirmation would have to come from another path (Internet). Since a common use case for that software is monitoring public safety frequencies an exploit might actually be practical for law enforcement agencies.

[rickostuff]

I'm not familiar with DSD/mbelib but based on what I saw with a quick web search this sounds like a really interesting attack vector. I do want to perform some more research in this area, so thanks for the idea.

[jcims]

Be sure to look at both the control channel and voice codecs. It's been a minute but IIRC there are a few open source implementations for both.

Finding a bug in RDS would be pretty funny - https://en.wikipedia.org/wiki/Radio_Data_System

[thereddaikon]

There was an unintentional one earlier this year. Seattle's local NPR station bricked some Mazda infotainment sets by sending malformed data. https://arstechnica.com/cars/2022/02/radio-station-snafu-in-...

[ugjka]

That wasn't RDS but HD radio's data stream

[Gordonjcp]

I can't find it now, but in the olden days of the Internet I read an article about how an up-and-coming band had "hacked" RDS to switch radios to play their song when it was played out on the local station.

The local station had a UHF link from the studio to the TX site that was audio only, a very common setup in the mid-90s, and the RDS flag on the transmitter was switched "in band" by sending a burst of tones over the audio feed, right at the start of the traffic jingle. Slap the traffic announce jingle cart in, hit the button, tune starts with just three quick DTMF digits. Uh-huh, you're seeing where this is going, right?

So if you put those three DTMF digits at the start of your single... :-D

[jcims]

I know this isn’t a substantive reply to your content but that’s amazing! I love it.

[rickostuff]

I'm going to have to see what I can find about this incident. Sounds like the early days of phone phreaking. Awesome!

[GekkePrutser]

Mbelib is of questionable legality as it implements a codec patented by DVSI. Indeed you might trigger some vulnerability at a hobbyist but a professional would never use it.

And public safety channels here are all encrypted so there's nothing to listen to, perhaps in the US that's not the case.

[codys]

There's a long history of open source software implementing patented algorithms, especially in the video and audio codec space. Those open source implementations are definitely used by professionals, so I would recommend not being so assured about the scope of use of software that may contain patented algorithms.

The vocal data on public safety channels being reported as encrypted does not necessarily say that there could be no vulnerability there. There's lots of control data that may or may not be encrypted, and encryption does not prevent all kinds of attacks here.

[GekkePrutser]

No I was just talking about the codec of course.

But nobody sells radio sets based on mbelib except the Chinese budget brands (e.g. baofeng) which have circumvented DVSI's patent by setting up a local company that sells the patent because they say they own it (even though they have no right to do it, but DVSI can't sue them in China). But all the public safety ones I've seen are brands like motorola and hytera that buy the real DVSI codecs.

But I'm not saying there are no other vulnerabilities. I'm just saying that there will not be many people using mbelib to listen to public safety frequencies because there is nothing to listen to as it's encrypted.

[_joel]

Excellent write up, bonus points if you can do an RCE via ISS repeater :D

[landr0id]

Excellent work! As I learned more about digital modes and packet radio I had similar thoughts! This is a really cool writeup and I'm stoked someone looked into this.

[heavyset_go]

What's the legality surround security research like this with ham radio? I was under the impression that the airwaves are highly regulated and those regulations could hamstring (forgive the pun) security research, but I also know next to nothing about it.

[rickostuff]

I'm not a lawyer, but I used my real callsign when doing anything over the air. I used known protocols, no encryption, nothing commercial, etc. This was all against my own lab systems. I don't think I crossed any legal lines here. It probably would have been even better to use some kind of dummy load to further reduce the range of my transmissions but I didn't have anything like that to use at the time. I just kept my power as low as I was able.

[heavyset_go]

Cool, thanks for the details.

[xen2xen1]

Sounds like a first, though I would not know.

[rickostuff]

I couldn't find where anyone else had done this before with ham radio. That was another motivating factor. It was an interesting new (but, actually old) attack vector. I've always been interested in weird attack vectors like this. I've read some fun research in the past about infrared communications, magnetic strips, etc. Things that are all around us but we don't really think of as attack vectors.

[ImpulseGuided]

>I've read some fun research in the past about infrared communications, magnetic strips, etc. Things that are all around us but we don't really think of as attack vectors.

Any particular source that you would recommend to start learning about these vectors?

[rickostuff]

The resources that come to mind are actually all videos of Defcon talks by the same person (Major Malfunction aka Adam Laurie). They are pretty old now, but still interesting.

Infrared Hacking: https://www.youtube.com/watch?v=61Fo-zg-DqI

Magstripe Hacking: https://www.youtube.com/watch?v=ITihB1c3dHw

Satellite Hacking: https://www.youtube.com/watch?v=PyXZX63etog

These all hit the sweet spot for me of technologies we use all the time but don't really consider the security implications.

[ImpulseGuided]

Thank you very much for linking these.

By the way, did you catch yesterday's thread on the Hack-a-Sat(ellite) CTF?

>https://news.ycombinator.com/item?id=31559117

Also congratulations on passing the OSED. Reading your 5-part report it looks like you got your money's worth.

Did you study for the OSED full-time or did you manage to complete all studying and tasks after work?

[rickostuff]

Thanks! I actually took three OffSec courses last year. The first one I did was the OSWP (wifi) as a sort of warm up because it's the easiest course they offer and I knew I could knock that out pretty quick. Then I took the OSEP course which was a ton of content. Finally I took the OSED which was another ton of content and the most technical of those three. My work gave me 40 hours of in-office time to last year for training. I can't recall if I used that 40 hours for the OSEP or OSED, but I know I used it for one of those two. However, I still put in a ton of hours on my own time too. It's just a lot of content to go through. 40 hours isn't enough time for either of those courses in my opinion. Having no children (and an understanding spouse) made it easier for me to dedicate a lot of personal time on the training. I love OffSec's stuff though and recommend it to anyone who is into offensive security and wants practical training.

[amatecha]

Yeah, I've thought about this a lot with the increased popularity of digital modes. Especially those small programs made by one or two people, just as you identified. I mean, I crashed a friend's radio simply by sending him an SMS over DMR (seems like a known issue/limitation with the radio firmware). Even well-established products are susceptible to attacks. No different from any other modern tech I guess :)

[rickostuff]

I'd like to spend some time digging into radio/tnc firmware for vulnerabilities but that's a bit over my head. I've managed to dump the firmware from my TNC but I haven't found a good way to get it disassembled yet. I've got a partial disassembly, but that's it. Unfortunately, I won't have more time to work on that for a few months.

[hoppla]

I fuzzed the direwolf aprs software using AFL some years back, but nothing interesting showed up. I too found RCE over HAM intriguing. Good work!

[alimov]

Thanks for the write up and video demo

[jacquesm]

Very neat hack!