Vulnerability
Up About Me Amateur Radio APRS - Ontario IRLP VA3PMO IRLP Changes FREE STAR* 2012_Contest dextra XRF004 XRF005 XRF018 XRF020 XRF021 XRF038 XRF044 XRF069 XRF073 XRF905 ISO-Images Vulnerability

 

Vulnerability

 

ICOM G2 systems running D-Plus

I was recently asked to assist with a Vulnerability Assessment to investigate the Vulnerability of 'personally identifiable data' on an ICOM G2 system running D-Plus and D-Extra.

We first unlinked the local module from all external systems - i.e., an REF reflector.  Using tcpdump, we then monitored ports 20001 through 20005 and captured the following data after each local transmission - remember that the local module was first unlinked from the REF reflector:

 

14:31:16.215268 IP 10.0.0.2.20001 > 65.254.57.90.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 4011 b56e 0a00 0002 E..%..@.@..n....
0x0010: 41fe 395a 4e21 4e21 0011 6896 0900 1800 A.9ZN!N!..h.....
0x0020: 0232 3267 20 .22g.


14:31:34.055831 IP 74.81.92.92.20001 > 10.0.0.2.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 2e11 9c19 4a51 5c5c E..%..@.....JQ\\
0x0010: 0a00 0002 4e21 4e21 0011 1747 0900 1800 ....N!N!...G....
0x0020: 02a1 30f2 4700 0000 0000 f0fb 3c86 ..0.G.......<.


14:31:34.055945 IP 10.0.0.2.20001 > 74.81.92.92.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 4011 8a19 0a00 0002 E..%..@.@.......
0x0010: 4a51 5c5c 4e21 4e21 0011 3d41 0900 1800 JQ\\N!N!..=A....
0x0020: 0232 3267 20 .22g.


14:31:34.056037 IP 74.81.92.92.20001 > 10.0.0.2.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 2e11 9c19 4a51 5c5c E..%..@.....JQ\\
0x0010: 0a00 0002 4e21 4e21 0011 1747 0900 1800 ....N!N!...G....
0x0020: 02a1 30f2 4700 0000 0000 f0fb 3c86 ..0.G.......<.


14:31:34.056199 IP 10.0.0.2.20001 > 74.81.92.92.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 4011 8a19 0a00 0002 E..%..@.@.......
0x0010: 4a51 5c5c 4e21 4e21 0011 3d41 0900 1800 JQ\\N!N!..=A....
0x0020: 0232 3267 20 .22g.


14:32:16.210356 IP 65.254.57.90.20001 > 10.0.0.2.20001: UDP, length 9
0x0000: 4500 0025 f7d1 4000 3011 cd9c 41fe 395a E..%..@.0...A.9Z
0x0010: 0a00 0002 4e21 4e21 0011 c9e0 0900 1800 ....N!N!........
0x0020: 0202 b24c 3f00 0000 0000 e9a5 1d6f ...L?........o


14:32:16.210457 IP 10.0.0.2.20001 > 65.254.57.90.20001: UDP, length 9
0x0000: 4500 0025 0000 4000 4011 b56e 0a00 0002 E..%..@.@..n....
0x0010: 41fe 395a 4e21 4e21 0011 6896 0900 1800 A.9ZN!N!..h.....
0x0020: 0232 3267 20 .22g.

 

So where is our information being sent?

We looked up these IP addresses and found the following:


Non-authoritative answer:
Name: opendstar.org
Address: 65.254.57.90


Address Range: 74.81.92.85 - 74.81.92.99 = interlabs.com

 

So what information is being sent and why? - the fact that each transmission on a local system triggers an outbound message, which results in a return message back makes us believe that the outbound request is a query to see whether the user is 'approved' to use the D-Plus infrastructure.

 

D-Extra:

There is no such mechanism in place with D-Extra.  When D-Extra is disconnected from a remote reflector or other G2 system, there is no data being sent to any external server.  Data on port 30001 (the D-Extra port) *only* flows during an active connection to a remote XRF reflector, other system running D-Extra or a PC client connecting via D-Extra client.  The data sent on port 30001 is compliant with the D-STAR protocol - a 56 byte header (containing MyCall, URCALL, RPT1, RPT2 info) followed by 27 bytes of audio data (voice plus text / GPS info).  This is the only information that leaves a system running D-Extra.