Category Archives: Ham radio

TenTec Omni VII — a great idea, but not too secure

More ham stuff. Sorry gang. I’ll get off this kick sooner or later, but this is what I’m obsessing about these days.

Today’s rant is about a radio that I’d love to buy, but which has some pretty big security holes for a device that’s intended to be hung out on the public Internet.

I’ve been enchanted with the idea of the TenTec Omni VII and was very close to buying one, mostly because of how easy it is to put it on the Internet and it’s “software controlled” architecture. I still think it’s a neat radio but pretty bugged by the complacency implicit in it’s current design, so I dunno whether this is really the radio for me.

Here’s the scoop. I’ll lay it out in three different “cases” — Case One where you’re using the Omni VII on your own local network and not punching a hole in your firewall, Case Two where you’re letting people get at the Omni VII from the Internet (the usual config I would think — certainly the one I want to use) and Case Three which is a kludge where you insert a PC between your firewall and the Tentec.

Case One

Omni VII is configured with an “inside the firewall” IP address (eg 192.168.1.5) and an arbitrary port (eg 5432). Firewall is configured to block traffic from the Internet (the usual configuration of a home firewall). The PC accesses the radio on the chosen port, entirely within the local network.

Implications

The radio isn’t visible from the Internet (unless you’re being attacked by a really heavy-duty hacker)
The radio’s 2-byte (0-65k, all numbers, I think pretty weak) password is not a big issue, as the machine is only being accessed from inside the local network.
There is no user-account “ring-fencing” on the radio, so if an intruder (say a child or guest) gets to the radio on the local network, they have complete control, but presumably you can stop them fairly easily by hitting them with a stick or something.
Denial of service attacks can only be directed to the firewall, not the radio so even if you’re getting pounded on you’re probably ok.

Evaluation

This is pretty secure. You’re running a server (the radio), but you’re not exposing it to the Internet, so fishing expeditions to find the radio will fail (with all the caveats about nothing being totally secure).
It’s also not too useful — you can only get to the radio from your local network, so the whole point of an Internet-accessed remote-controlled radio is lost.

Case Two

Setup

Omni VII is configured with a non-routable “inside the firewall” IP address (eg 192.168.1.3) and an arbitrary port (eg 5432). Firewall is configured to address-translate and forward traffic from a public-routable IP address to that address/port combination.

Implications

The Omni VII is a public server that is visible to anybody on the Internet (with all the attendant security concerns that any public server has)
The IP-address/port/password combination is visible for port-scanning attacks (the radio does not respond to a query unless all three of those are correct, however)
There is no user-account “ring-fencing”, so once the address/port/password have been cracked, all capabilities of the radio (receive, transmit, reconfiguration) are available to the intruder ““ with profound implications for the radio’s license-holder, who will be held accountable for any malicious behavior.
The radio is visible for denial-of-service attacks without the need to hack into the radio

Evaluation

The radio is available to anybody on the Internet, there’s no capability to distinguish between allowed (white-listed) IP addresses and all others
The radio has no limit on the number of failed logon attempts, nor is there any time-delay between attempts, so address/port/password combinations can be presented very quickly
The radio doesn’t log failed logon attempts, nor does it have notification capability to alert the owner that their server (radio) is being attacked
The full capabilities of the radio are available once it’s been penetrated, there’s no “account” structure, nor is there the concept of granting user-rights in the software
The software to access (and exploit) the capabilities of the radio is publicly available on the Internet
The source-code of the software is publicly available on the Internet, so a cracker can read the code to understand the handshaking protocol

Rebuttal

I spoke with folks at TenTec about this. Here are some of the concepts they presented to calm me down.

The radio doesn’t respond unless you get the address/port/password combination correct which makes it pretty stealthy
That address/port/password combination represents a lot of combinations for a hacker to try

Those are Good Things. But that defense presumes that the cracker doesn’t have a lot of brute force available for their attack — which makes me nervous in this day of zombie-pools that number as high as 1.5 million computers (here’s an article about that).

The kids who develop and trade hacking scripts could easily develop a module that looks for these radios and simply add it to the port-scanning scripts that they’re already running. Screaming through 65000 possible passwords per address/port sounds a little extreme, but suppose the Bad Guys are terrorists instead of script-kiddies and they’re looking for these radios as part of a broader attack. Combining the script with a zombie-net of a few hundred thousand computers could flush out a lot of radios.

Suggested Changes

The bad news is that this radio is pretty wide open. The good news is that some relatively simple changes could make it a lot better.

Increase the size of the password from its current two-byte (65k possibilities) size. Tacking on another byte would get you 16 million possibilities, two more bytes would get you to up to almost 5 billion. A couple bytes of storage seems like cheap insurance.
Introduce the concept of authentication failure — after N attempts the radio won’t accept any more attempts for some period of time, after M cycles of that the radio locks out all external log-in attempts until it has been reset from the front panel.
Introduce the concept of “accounts” so that the radio’s owner could grant varying levels of authority to different users (while at the same time adding another layer of cracking difficulty). I’d like to see at least 4 levels of access;
- “Eavesdropping” — for those folks that you just want to let listen to whatever the radio is doing, but not grant any control
- “Receive only” — for folks who you’d like to grant SWL rights
- “Transceive” — for hams who can use the radio to transmit and receive
- “Administrator” — for super-users who can also reconfigure the radio
IP-address white-listing and blacklisting as a way to screen out known black-hats and grant rights to your club or friends
Some kind of security logging and alert capability, so that if you’re getting pounded by a black hat you can figure out what’s going on.

“Why all this crud?? After all, this is just a radio for crying out loud” you ask. Well, it’s not just a radio any more. It’s a server, on the Internet — a place filled with great folks and other folks who aren’t so great. Since we’re responsible for what our stations do, I’d like to see some tools to help us protect those resources from being attacked.

Here’s one solution, if TenTec leaves the radio the way it is…

Case Three

Setup

Omni VII is configured with an “inside the firewall” IP address (eg 192.168.1.3) and an arbitrary port (eg 5432). Firewall is configured to address-translate and forward traffic from a public-routable IP address to a PC running remote-access software. The PC in turn accesses the radio on the chosen port.

Implications

The Omni VII is no longer directly visible to the Internet, the PC is
The “signature” of the radio is no longer visible, so intruders won’t be able to find a radio just by port/password scanning, only the PC (which has a firewall, logging and account-structures in addition to passwords)
The 2-byte password is now masked behind the PC’s much stronger username/password authentication, plus any authentication provided by the remote-access software — thus adding two layers of much stronger authentication
There is still no user-account “ring-fencing” on the radio, so if an intruder gets to the radio they still have complete control
The radio is no longer visible for denial-of-service attacks but the PC is
The “connect this radio directly to the Internet” feature is lost, since this approach requires a PC

That last sentence is a killer. As I said at the top of this post, the simplicity of dropping this radio right on the ‘net without an intervening PC is one of the two things that drew me to this radio in the first place. Putting a PC in the chain makes me sad — but I’m really uncomfortable just hanging this device out there on the big bad Internet with the sketchy security that’s on it right now.

Marcie says it’s time for a walk so I’ll stop obsessing about this and go get some fresh air on this beautiful spring day.

I’ll give the TenTec folks a heads up and invite them to comment. You’re invited to comment as well.

UPDATE:

Some months have passed. I wound up buying a Kenwood TS-2000 and marrying it up with TRX-Manager in the “Case Three” configuration up above. I’m really close to testing the over-the-Internet configuration.

But I realized that I need to be able to dump the radio if the computer or software locks up. Otherwise I could envision the following (bad) scenario… I’m logged on to the radio. I key the mic while it’s keyed the computer or software crashes. Now the radio is keyed on and I can’t get to it to key it off.

The solution to this problem (remote-controlled power switch) is also a solution to the security problem, hence the update to this post. Putting the TenTec on one of these switches would make me a lot more comfortable with Case Two because, unlike the TenTec, the switches have more robust username/password security built in. In that configuration, one could power up the radio when it is needed and leave it powered off the rest of the time. And, if anybody ever captured the radio, you could power it off.

Here are a couple links to switches that I’m looking at;

Synaccess NP-02

DataProbe iBoot

Right now, I’m leaning toward the (geekier, cheaper) Synaccess…

Got my vanity call-sign — KZ0C

Another big milestone today in the Ham Radio saga. The FCC granted my request for a vanity call sign and assigned KZ0C to me. KZ… because it was available. 0C … because i can transmogrify that into OC, which in turn is my last-name initials. A darn nifty call — 4 letters, easy for me to remember, the domain was available, etc.

Getting call letters for radio stations is what led me into domain-names, which have been a really interesting ride over the years. So this vanity-call nonsense sorta fits into a long-term thread in my life. I was assigned a set of call letters when I got my license a few weeks ago (AC0GY) but I never told anybody about that call because I knew I was going to go for a vanity call as soon as I could and didn’t want to confuse people. Now I can go public! Yippee.

Of course I’ve run out and gotten the domain — www.kz0c.com points at www.haven.com right now, but I’ll probably split the ham radio stuff off to the KZ0C site over time.

I’ve found some sites that will charge a little fee to do the vanity call-sign application for you, but I thought I’d just list the steps here in case you want to do it yourself. I didn’t think it was too bad.

Step 1 — go hunting for a good call-sign

There are two places I looked when I was hunting for my vanity call sign. The first one I found was Amateur-Radio.org vanity call letter page where they list all the active 4 and 5 letter calls. They don’t list 6-letter calls ’cause there are way too many. They also have a lot of useful tips and tricks on that page that I found really helpful in completing the application. Since I wanted a call with “0C” in it, I used the search-text function in my web browser to find calls with “0b” (just before) and “0d” (just after) to see if there were any gaps in the list that implied my “0C” call might be available. Found me a bunch that way.

Next I came across the RadioQTH vanity call-letter page . This one is really handy because it lists all the 4 and 5-letter calls that are available. See that grid on the left side of the page called “Available Calls Sorted By”? That’s the place to click — each of the choices will show a different set of available calls. Again, a little browser-based page-searching for the “0C” string got me a refined list. This page is also helpful in that it alerted me to a few calls that I couldn’t get even though they showed up as available on the Amateur-Radio list — mostly because they are in a two-year wait period.

The last place I stopped, to verify my choices, was the FCC callsign lookup page. This is a part of the FCC Universal Licensing System (which you’re gonna have to use to finish this project). I like the fact that the FCC has put this stuff online. The system’s a little clunky, but it gets the job done and it sure beats the huge paper-processing hassles I went through when I filed broadcast FM licenses back when I did community radio stations.

Step 2 — go apply for the call letters

I did this by logging into the FCC’s Universal Licensing system and heading over to their vanity call sign page. I found the process to be pretty much like any online-store type thing. The FCC suggests submitting more than one set of call letters so that if my first choice was taken by the time they review the application (which mine was — my first choice was KQ0c), they can still grant the call. They charge a fee — I recall it being around $25 — which covers the license for 10 years. Compared to domain-names, a bargain!

By the way, there’s a bug in the FCC’s system. When I typed in my choices, the grid was numbered left-to-right then top-to-bottom. But when I looked at the online “reference copy” of the application, the grid was numbered top-to-bottom then left-to-right. But my choices were in the positions that I’d entered them online. Yikes! I called the FCC and the nice person there patted me on the head, said “there there” and assured me that my preference sequence had been preserved. It just shows up wrong in the reference copy of the app.

Step 3 — bite nails and hope for the best

This is a long tradition amongst people who apply for call letters. It used to drive me nuts back in the community radio days. My favorite story was the first set of call letters I applied for in Madison. I was all set to go with WOMB (in the cradle of the revolution, Madison, WI) until wiser heads prevailed. So we settled on WART (which was available). We submitted the application, nail-biting ensued and dang! We missed that one! I called up the station that got it and asked them why on earth they wanted WART??? They came back saying “because we’re an ARTs station!” I came back with “yeah but don’t you see? you’ve got WART!” They were stunned. But they didn’t want to give up the call so we settled for our second-choice which was WORT.

Now days the nail-biting is web-enhanced because now you can watch your application fight its way through the process, and you can watch all those other people go after the same calls you covet. The place to do all this is the RadioQTH vanity call page, except this time you click in the “Filed Applications” grid on the right side of the page. I think their database is several days behind the FCC’s — I’m looking at it right now and it doesn’t reflect that I’ve gotten the KZ0C call yet. It still shows my application as in progress, even though they predicted the day that they estimated the call would appear in the FCC database on the nose.

So here I am — the proud owner of a really neat set of call letters. I’m going to find out everything I can about the previous holder(s) of this call. The person I’ve found so far is James Bohnsack who lived in Waterloo, Iowa. It seems to me that, since I’m not the first person to occupy this little piece of ham-radio real-estate, I need to honor those who’ve been here before me. If any family or friends of Mr. Bohnsack happen across this little blog entry, I’d love to hear from you!

Remote transceiver and antenna

This is an ongoing post that I’m going to use as a scratchpad to document the “put a ham station on top of the ridge” project.

Updated – maps (aerial, topo, elevation)

Here’s a picture of “the problem”

The farm is a wonderful place, and the house is in a nifty location. South-facing so it gets lots of sun in the winter, huddled in the valley out of the way of the prevailing north winds, close to the water table so the well isn’t very deep, etc. A great spot for a house. But a lousy spot for a ham-radio antenna. The arrow points to a much better spot for the antenna. The question; how to make that work?

Here’s the latest block diagram of The Plan

This’ll change as I get smarter, but it’s a first-try. There are some interesting choices;

– Should there be a PC up there to do the housekeeping on the serial-port, or can I push serial through the transceiver?

I’m going to use a TenTec Omni VII radio, which can push serial out the back — which may or may not work for controlling the antenna rotor. The cool thing about the Omni VII is that it can be directly controlled via Ethernet, which eliminates a lot of fussiness.

– Where should the WiFi access point be?

Right now, I’m leaning towards mounting the AP up near the WiFi antenna, to keep the coax run between the AP and the antenna as short as possible. That means either running AC power up the tower, or using power over Ethernet. I’m not keen on having 120v power on a steel tower that I’ll be climbing around on, so I like POE as the solution. Looks like the distance won’t be a problem — max according to the spec is 100 meters — I’ll only be going about 30.

Here’s a picture of the tower

I used to have a wind turbine mounted on this old water-pumper tower. But the whole shebang came down when we moved and it’s been sitting in the weeds ever since. This will be a great chance to recycle this 50-foot tower.

Update – maps

Did me some fooling around with the mapping program tonight. Here’s the result.

This is an aerial view — the red line is between the house and the field where the tower could go.

This is a topographical view…

And this is that same line, but showing distance and elevation. It’s looking like the 50 foot windmill tower would “see” the house, but only with some tree-cutting. A 100 foot tower would be a cool thing. Then I would be at 1300 feet, which gives me a line of sight shot into Eau Claire and Winona. I’ve got a line on a really neat 100′ Pirod tower from my friend Don Overbye.

Here’s a wide-area map — some interesting possibilities. Winona and Eau Claire are about 25 miles, Alma’s around 14 miles and Wabasha’s about the same. Maybe I could get tied into a repeater network or two… Or get me some high-speed Internet access with a microwave shot…

Repater Map

Here’s one of the great maps from the Milwaukee Area Amateur Society site that shows where I set in relation to the repeaters that they’re tracking.

Ham license

I’ve always wanted to be in the amateur radio type guy, but never had the gumption to pass the Morse-code part of the deal. But the code-requirement went away a couple weeks ago. I was planning to take the test the day after that, but I got skunked by the huge snow storm that rumbled through.

So I took the exam today. Passed all three sections I did, by golly. So today, St Patrick’s Day, 2007, I’m finally in the ham gang. No call-letters yet, but this is the “hello world” post of this amateur Extra type guy.

Since my house (at the farm) is way down in a valley, it’s going to be a while before I actually get on the air. I’ve got a boatload of projects to do — gotta put up an old windmill tower on the top of the hill, figure out antenna-mounting, figure out power and Ethernet up there (might do solar power and long-distance WiFi), figure out remote controlling the transmitter and antenna rotor from down here at the house, etc. The classic ham project. Should keep me entertained for at least 6 months.

Woohoo!