[aprssig] Secutiry for the aprs protocol and software

Curt, WE7U archer at eskimo.com
Sun Aug 23 14:30:25 EDT 2009 

On Sun, 23 Aug 2009, William Gery wrote:

> First, The APRS radio transmission. The APRS protocol as received by a
> TNC and software looks to be immune from accepting any thing but valid
> APRS packet. Are there can special precaution that should be taken ?

Generally the packets are parsed by the software and rejected if
they don't match the published protocol.  There most likely exist
bugs in some parsers that will either accept bad packets or reject
good ones.  Over time more are found and the software gets
better/more robust.  I don't believe there's an exhaustive set of
test data out there that can be run against any particular client to
see how they fare, but it'd be a really nice thing to have in the
toolbox.


> Both UI-View and Xastir permit radar data and also weather warning to be
> displayed. This requires the APRS system to be connect to the Internet.
> The data received from the Internet server is the APRS protocol.  Is
> there a way that this data stream could be compromised ?

Since I'm an open-source kind'a guy, I'll respond on the public
mailing list.  My first thought was to respond privately but it's
probably for the betterment of the system if I don't.

Regarding the internet servers:  Yes, they can be compromised.
Very few systems on the internet cannot.  In order to be truly
secure you'd probably have to run VPN and some form of Kerberos
authentication to authenticate the user, the client machine, and the
remote machine.  The APRS-IS is not set up for that sort of
authentication.

What we have is a callsign/password scheme with a published
algorithm in C.  I've used that published algorithm directly in
C-code, and have written another form of it in Perl.  It wasn't
difficult.  I wouldn't consider our user authentication system
secure, nor would the person who originally wrote it.

What I'm saying here is that I can claim to be anybody I wish, and
can do that with software I have installed right here, right now, on
this computer (and nearly every other computer I own).

The sites the radar/weather info come from could have their DNS
highjacked as well, directing the queries to another system, but I
don't know enough about that sort of thing to know how safe the
average site may be against that.  I'm one of the white hats, not a
black hat, plus not a security expert.  I know just enough to know
what to be scared of.


> Based on the information we received we will be able to address the
> options and continue to use APRS to meet the NWS mission.

Good luck with that, and let our team of Xastir developers know what
we can do to help.

Curt, one of 'dem Xastir guys...

-- 
Curt, WE7U.                         <http://www.eskimo.com/~archer>
    APRS:  Where it's at!                    <http://www.xastir.org>
   Lotto:  A tax on people who are bad at math. - unknown
Windows:  Microsoft's tax on computer illiterates. - WE7U.
The world DOES revolve around me:  I picked the coordinate system!"

More information about the aprssig mailing list