[aprssig] Authentication over APRS was: Ab)Use of APRS for telemetry? Anyone doing it?

Tyler Allison tyler at allisonhouse.com
Mon Dec 6 13:08:05 EST 2004

>> On APRS it might look something like this:
>> 1) User sends 'login' message to Server
>> 2) Server responds to user with 'challenge' message
>> 3) User uses the contents of the 'challenge' message to generate the OTP.
>> 4) User sends OTP to server along with command(s) to run
> A malicious user, upon hearing step 2, could then jam the server (e.g.,
> with a strong directional signal), intercept the command+OTP message,
> substitute another command, and pass it along to the server when it stops
> the jamming. It's even easier to do if the command signal has to go
> through a digipeater.

Obviously...one of the reasons OTP went out of favor on the Internet. :)

> What you really want is a message authentication
> code that hashes the content of the message as well, so that any change
> would be detectable.

True. Though potentially harder to develop if you simply want to tinker.
Highly recommended if you intend to release it to the public.

> This still leaves you vulnerable to replay attacks, where someone just
> copies a valid command sequence off the air and resends it later.

Once the particular OTP has been used, the server will not accept it in
the future. No replay vulnerability. The other ones you mention are valid
of course.

> The
> challenge/response scheme is probably the easiest way to go, as long as
> you've got a fairly reliable two-way link.

If you simply want someone to not be able to open your garage door or turn
your lights on an OTP system seems as 'reasonable' risk. If you intend to
launch ICB missles...then no :)  Compare risk to effort.

For me, if I developed such a thing and found a local ham turning my
lights off an on for kicks I'd probably laugh about it and then use it as
direction finding practice. Then buy the guy a beer! :)


"When you earnestly believe you can compensate for a lack of skill by
doubling your efforts there's no end to what you can't do." - Despair.com

More information about the aprssig mailing list