Security News > 2021 > July > Software maker removes "backdoor" giving root access to radio devices
The author of a popular software-defined radio project has removed a "Backdoor" from radio devices that granted root-level access.
The backdoor had been, according to the author, present in all versions of KiwiSDR devices for the purposes of remote administration and debugging.
Yesterday, Mark Jessop, an RF engineer, and radio operator came across an interesting forum post in which the author of the KiwiSDR project admitted to having remote access to all radio receiver devices running the software.
Another user, M. dug out a 2017 forum thread where KiwiSDR's developer admitted that a backdoor indeed provided them with remote access to all KiwiSDR devices.
"These KiwiSDRs are used for receiving HF radio stations. The backdoor itself doesn't give an attacker any special SDR access, just that they can access the console of the device and start pivoting into networks," ethical hacker xssfox told BleepingComputer.
"No way. Back doors are never okay. Password was sent in the clear, as HTTPS isn't supported. Eventually someone would have exploited this. Hell, someone might have already exploited this and we just don't know about it," said one of the users in a thread. KiwiSDR users should upgrade to the latest version v1.461 released today on GitHub that removes the backdoor from their radio devices.