«
»

TenTec Omni VII — a great idea, but not too secure

More ham stuff. Sorry gang. I'll get off this kick sooner or later, but this is what I'm obsessing about these days.

Today's rant is about a radio that I'd love to buy, but which has some pretty big security holes for a device that's intended to be hung out on the public Internet.

I've been enchanted with the idea of the TenTec Omni VII and was very close to buying one, mostly because of how easy it is to put it on the Internet and it's "software controlled" architecture. I still think it's a neat radio but pretty bugged by the complacency implicit in it's current design, so I dunno whether this is really the radio for me.

Here's the scoop. I'll lay it out in three different "cases" -- Case One where you're using the Omni VII on your own local network and not punching a hole in your firewall, Case Two where you're letting people get at the Omni VII from the Internet (the usual config I would think -- certainly the one I want to use) and Case Three which is a kludge where you insert a PC between your firewall and the Tentec.

Case One

OmniVIISec3

 

Omni VII is configured with an “inside the firewall” IP address (eg 192.168.1.5) and an arbitrary port (eg 5432). Firewall is configured to block traffic from the Internet (the usual configuration of a home firewall). The PC accesses the radio on the chosen port, entirely within the local network.

Implications

  • The radio isn't visible from the Internet (unless you're being attacked by a really heavy-duty hacker)
  • The radio's 2-byte (0-65k, all numbers, I think pretty weak) password is not a big issue, as the machine is only being accessed from inside the local network.
  • There is no user-account “ring-fencing” on the radio, so if an intruder (say a child or guest) gets to the radio on the local network, they have complete control, but presumably you can stop them fairly easily by hitting them with a stick or something.
  • Denial of service attacks can only be directed to the firewall, not the radio so even if you're getting pounded on you're probably ok.

Evaluation

  • This is pretty secure. You're running a server (the radio), but you're not exposing it to the Internet, so fishing expeditions to find the radio will fail (with all the caveats about nothing being totally secure).
  • It's also not too useful -- you can only get to the radio from your local network, so the whole point of an Internet-accessed remote-controlled radio is lost.

Case Two

OmniVIISec1

Setup

  • Omni VII is configured with a non-routable “inside the firewall” IP address (eg 192.168.1.3) and an arbitrary port (eg 5432). Firewall is configured to address-translate and forward traffic from a public-routable IP address to that address/port combination.

Implications

  • The Omni VII is a public server that is visible to anybody on the Internet (with all the attendant security concerns that any public server has)
  • The IP-address/port/password combination is visible for port-scanning attacks (the radio does not respond to a query unless all three of those are correct, however)
  • There is no user-account “ring-fencing”, so once the address/port/password have been cracked, all capabilities of the radio (receive, transmit, reconfiguration) are available to the intruder – with profound implications for the radio’s license-holder, who will be held accountable for any malicious behavior.
  • The radio is visible for denial-of-service attacks without the need to hack into the radio

Evaluation

  • The radio is available to anybody on the Internet, there's no capability to distinguish between allowed (white-listed) IP addresses and all others
  • The radio has no limit on the number of failed logon attempts, nor is there any time-delay between attempts, so address/port/password combinations can be presented very quickly
  • The radio doesn’t log failed logon attempts, nor does it have notification capability to alert the owner that their server (radio) is being attacked
  • The full capabilities of the radio are available once it’s been penetrated, there’s no “account” structure, nor is there the concept of granting user-rights in the software
  • The software to access (and exploit) the capabilities of the radio is publicly available on the Internet
  • The source-code of the software is publicly available on the Internet, so a cracker can read the code to understand the handshaking protocol

Rebuttal

I spoke with folks at TenTec about this. Here are some of the concepts they presented to calm me down.

  • The radio doesn't respond unless you get the address/port/password combination correct which makes it pretty stealthy
  • That address/port/password combination represents a lot of combinations for a hacker to try

Those are Good Things. But that defense presumes that the cracker doesn't have a lot of brute force available for their attack -- which makes me nervous in this day of zombie-pools that number as high as 1.5 million computers (here's an article about that).

The kids who develop and trade hacking scripts could easily develop a module that looks for these radios and simply add it to the port-scanning scripts that they're already running. Screaming through 65000 possible passwords per address/port sounds a little extreme, but suppose the Bad Guys are terrorists instead of script-kiddies and they're looking for these radios as part of a broader attack. Combining the script with a zombie-net of a few hundred thousand computers could flush out a lot of radios.

Suggested Changes

The bad news is that this radio is pretty wide open. The good news is that some relatively simple changes could make it a lot better.

  • Increase the size of the password from its current two-byte (65k possibilities) size. Tacking on another byte would get you 16 million possibilities, two more bytes would get you to up to almost 5 billion. A couple bytes of storage seems like cheap insurance.
  • Introduce the concept of authentication failure -- after N attempts the radio won't accept any more attempts for some period of time, after M cycles of that the radio locks out all external log-in attempts until it has been reset from the front panel.
  • Introduce the concept of "accounts" so that the radio's owner could grant varying levels of authority to different users (while at the same time adding another layer of cracking difficulty). I'd like to see at least 4 levels of access;
    • "Eavesdropping" -- for those folks that you just want to let listen to whatever the radio is doing, but not grant any control
    • "Receive only" -- for folks who you'd like to grant SWL rights
    • "Transceive" -- for hams who can use the radio to transmit and receive
    • "Administrator" -- for super-users who can also reconfigure the radio
  • IP-address white-listing and blacklisting as a way to screen out known black-hats and grant rights to your club or friends
  • Some kind of security logging and alert capability, so that if you're getting pounded by a black hat you can figure out what's going on.

"Why all this crud?? After all, this is just a radio for crying out loud" you ask. Well, it's not just a radio any more. It's a server, on the Internet -- a place filled with great folks and other folks who aren't so great. Since we're responsible for what our stations do, I'd like to see some tools to help us protect those resources from being attacked.

Here's one solution, if TenTec leaves the radio the way it is...

Case Three

OmniVIISec2

Setup

Omni VII is configured with an “inside the firewall” IP address (eg 192.168.1.3) and an arbitrary port (eg 5432). Firewall is configured to address-translate and forward traffic from a public-routable IP address to a PC running remote-access software. The PC in turn accesses the radio on the chosen port.

Implications

  • The Omni VII is no longer directly visible to the Internet, the PC is
  • The “signature” of the radio is no longer visible, so intruders won’t be able to find a radio just by port/password scanning, only the PC (which has a firewall, logging and account-structures in addition to passwords)
  • The 2-byte password is now masked behind the PC’s much stronger username/password authentication, plus any authentication provided by the remote-access software -- thus adding two layers of much stronger authentication
  • There is still no user-account “ring-fencing” on the radio, so if an intruder gets to the radio they still have complete control
  • The radio is no longer visible for denial-of-service attacks but the PC is
  • The “connect this radio directly to the Internet” feature is lost, since this approach requires a PC

That last sentence is a killer. As I said at the top of this post, the simplicity of dropping this radio right on the 'net without an intervening PC is one of the two things that drew me to this radio in the first place. Putting a PC in the chain makes me sad -- but I'm really uncomfortable just hanging this device out there on the big bad Internet with the sketchy security that's on it right now.

Marcie says it's time for a walk so I'll stop obsessing about this and go get some fresh air on this beautiful spring day.

I'll give the TenTec folks a heads up and invite them to comment. You're invited to comment as well.

UPDATE:

Some months have passed.  I wound up buying a Kenwood TS-2000 and marrying it up with TRX-Manager in the "Case Three" configuration up above.  I'm really close to testing the over-the-Internet configuration.

But I realized that I need to be able to dump the radio if the computer or software locks up.  Otherwise I could envision the following (bad) scenario...  I'm logged on to the radio.  I key the mic while it's keyed the computer or software crashes.  Now the radio is keyed on and I can't get to it to key it off.

The solution to this problem (remote-controlled power switch) is also a solution to the security problem, hence the update to this post.  Putting the TenTec on one of these switches would make me a lot more comfortable with Case Two because, unlike the TenTec, the switches have more robust username/password security built in.  In that configuration, one could power up the radio when it is needed and leave it powered off the rest of the time.  And, if anybody ever captured the radio, you could power it off.

Here are a couple links to switches that I'm looking at;

Synaccess NP-02 

DataProbe iBoot 

Right now, I'm leaning toward the (geekier, cheaper) Synaccess...

This entry was posted on Friday, April 20th, 2007 at 3:44 pm and is filed under Ham radio. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

15 Responses to “TenTec Omni VII — a great idea, but not too secure”

  1. Dave Says:
    April 20th, 2007 at 6:27 pm

    Does the Omni VII respond to ICMP? There has been a great deal of research done with ICMP and fingerprinting. If it does, then I suspect it is reasonable to assume that an attacker would be able to ID the OS on the device, if not the device itself.

    I think the key question that still needs to be answered is what happens if I send a properly formatted packet to the right IP/UDP port pair, but have the wrong password. If it is silently dropped then it would be very difficult for an attacker to know they had the right UDP port targeted.

    I'd sure like the opportunity to put one of these on a network with a sniffer and fuzzer and throw some packets its way. That would be a lot of fun.

  2. oconnor Says:
    April 20th, 2007 at 8:02 pm

    ICMP? Good question for the TenTec folk. I agree that silently dropping the packets would be a Good Thing, but I'm still edgy about "stealth" being the only security strategy given the power of brute force attacks that can be mounted these days. I also wonder whether the radio ships with "default" values for the port. If it does, then I bet a bunch of the radios will just be out there with that port configured -- which means now all ya gotta do is crack that small password.

    I also agree -- it would be great to sniff/fuzzer the radio and see how it behaves. Anybody want to volunteer a radio to be a guinea pig?

  3. Hal Says:
    May 12th, 2007 at 5:30 am

    Have a scout unit that is considering buying a Ten Tec product. Appreciate very much your concern for security. One would like to thing Ten Tec would follow your advice. Any guess what it would cost them to do so?

  4. oconnor Says:
    May 12th, 2007 at 6:13 am

    One of the nice things about the radio is that it's software controlled -- which means a lot of the changes can be done without changing the radio. Almost all of the ideas I proposed have pretty well-known software solutions -- perhaps even code out there that they could pick up and re-use. So I don't think it would be hugely expensive. Certainly, tripling the size of the password wouldn't be a big effort at all.

  5. W5NTQ Says:
    May 16th, 2007 at 10:58 am

    Why not just have a high security power strip that could be turned on and off via the Ethernet/Internet? If no power to the Omni VII then no response to hackers. Take a Linux firewall computer and just control an Ethernet ready power strip. Now the Omni VII control is not burdoned with having to go through the PC firewall. When done operating, turn the remote station off. Better protection from hackers and lightning. See

    http://www.leunig.de/_en/_news/prs/2002_02_eps/eps_mfot.htm

    http://www.wti.com/power.htm?gclid=CKT2m9iTk4wCFQh7IgodLSsp5Q

  6. Dave Says:
    May 16th, 2007 at 6:44 pm

    Just put a challenge response device in front of the radio and use a DHCP service rather than static IP. Then subscribe to a dynip service, take two apserin and stop obsessing. Hackers and script kiddies have no interest in ham radio and terrorist don't really care either.

    I suspect one chip could provide the good features in the radio that are currently missing but I doubt we'll see it.

    The one thing you missed in all of your fearfulness is that most of the time the radio is turned off. That drops the risk significantlyk and is nothing like having a full time broad band connection with the back door open. The other point is hackers are looking for doors that lead to something that contains credit card information or something of value...I will bet you that you can hang that radio on a DSL line, leave it on all the time, and never get a hit from a hacker - The O7 is just not what criminals and dirt bags are looking for these days. It is valueless to these low lifes. If you put a PC in front of it with an operating system then you better fit the target specs of the hackers.

    I've operated Interntet remote stations for over seven years...usign the PC, PCA, router combo. Never had a problem. Then again, the system is on dial-up so perhaps the hackers are just not interested in the slow connections, haha.

    A very nice write-up and like you I would have been happier with TENTEC if they had put a bit more into the Internet interface architecture. But hey, perhaps O7A will have the right stuff.

    73,
    dave
    wa3gin

  7. Joe VK4TU Says:
    June 27th, 2007 at 5:06 am

    Alternately go and buy yourself a Cisco router and use their VPN software to IPsec tunnel into your router giving yourself a local (not Internet) address. This gives the security of #3 without the PC. I'm sure that there must be some home router that can do something similar.

    It certainly looks very interesting but it would be nice to find out what codecs they're using - the quoted bandwidth is ridiculous for a comms device. I'd expect about 30Kbs not 150Kbs

    73,
    Joe VK4TU

  8. John Says:
    September 7th, 2007 at 8:04 pm

    Ten-Tec should not promote this radio as Internet ready. This implies, as you suggest, some level of expertise at Internet server security. They should, instead, promote it as "network" ready which suggests Ethernet plugability.

    With that description we get the idea this is a device with the convenience of network control, but no expectation of security.

    This puts the user in control over how to make any network device available from the Internet using items for just that purpose.

    Nobody should expect TenTec to make a radio that is secure on the public Internet for the same reasons we don't expect the same from a network printer.

    Great radios and cool ways to control it should be the domain of TenTec.

    Secure ways to control this radio over the Internet squarely belong in the realm of IT professionals and proper purpose built secure routing equipment.

    73
    John

  9. An Engineer’s View » Blog Archive » Network control of TenTec Omni VII Says:
    September 7th, 2007 at 8:19 pm

    [...] http://www.haven2.com/index.php/ham-radio/122#comment-8337 [...]

  10. RomeoJava Says:
    October 10th, 2007 at 9:49 am

    I agree with the VPN comment by Joe VK4TU if not having a PC switched on is a key requirement. Quite a lot of home routers support not only VPN pass-through but also acting as VPN endpoints now. Agreed it is a pain setting it up and there may be problems depending on the policy of the network you want to access it from but think of the other possibilities that a VPN will bring. Oh, btw. your images of the various set-ups seem to be linking to haven.com, not haven2.com for me which means I get redirect to a camping website!

    Rj

  11. Mike O'Connor Says:
    October 12th, 2007 at 1:28 pm

    Argh -- Sorry about the pictures being broken RJ. I sold the haven.com domain a while back and missed those links when I updated this blog. Should be working now.

  12. KZ0C - Mike O’Connor » Blog Archive » TenTec Omni VII — a great idea, but not too secure Says:
    October 21st, 2007 at 3:18 pm

    [...] link to the post [...]

  13. Steve Westfall Says:
    December 11th, 2007 at 12:21 pm

    Great discussion, with a lot of food for thought. I'm very interested in the Omni VII and would like to have secure access via the Internet if the security issues are ever worked out.

    However, I would like to point out that the functionality offered by your "Case 1" is nothing to sneeze at. Being able to access my transceiver via my wireless network from a laptop anywhere in the house is very appealing to me. I would be able to operate without hiding out in the basement where my station is located. That's a valuable capability in itself.

    73,

    Steve

    ** Mike says **

    Absolutely. No argument there. It's only when you make the radio visible to the Internet that I get cranky. I wound up buying a Kenwood TS-2000 and marrying it up with an Internet-controlled power-outlet, partly based on W5NTQ's post up above. Click HERE for a link to the block diagram of the rig as I'm running it right now. It's pretty much Case 3 above, but the PC is doing more work because it's also hosting the remote-control software. I'm really liking that setup.

  14. George Fryer Says:
    February 15th, 2009 at 2:43 pm

    I know this is an old subject but IF you ever go back to this in the future I have another gripe. In addition to the problems which you point out with security, the one thing that bugged me when I set my OMNI up was changing the PORT and PASSCODE. To change these from the default required incrementing up (or down) from the default setting using the multi-knob. I would expect most users would stop at a lower PORT and PASSCODE (a -yuk- keep the defaults) because to get to the higher number takes a lot of work. This reduces the effective 1 in 64K of hacking. The Omni has a 0-9 keypad but I could find no way of using it to change the PORT or PASSCODE.

  15. Mike Says:
    December 18th, 2009 at 3:21 pm

    I think you are all making a mountain out of a mole hill here !

    It's really very simple to secure the radio, just use Open-VPN or the VPN services of your internet router!

Leave a Reply