[aprssig] Secutiry for the aprs protocol and software

[William Gery]

Thanks to all that have responded, This is providing good information to
help with this project.

I understand that any system on the Internet can be compromised. That
brings this question to mind. 

If an Internet APRS server is compromised, could the APRS data stream be
used to compromised other systems receiving APRS data from the affected
system.  If the answer is no,  then the NWS could connect to APRS
Internet servers and exchange data. We have a policy that would permit
this.  

Again thanks

Bill

On Sun, 2009-08-23 at 11:30 -0700, Curt, WE7U wrote:
> On Sun, 23 Aug 2009, William Gery wrote:
> 
> > First, The APRS radio transmission. The APRS protocol as received by a
> > TNC and software looks to be immune from accepting any thing but valid
> > APRS packet. Are there can special precaution that should be taken ?
> 
> Generally the packets are parsed by the software and rejected if
> they don't match the published protocol.  There most likely exist
> bugs in some parsers that will either accept bad packets or reject
> good ones.  Over time more are found and the software gets
> better/more robust.  I don't believe there's an exhaustive set of
> test data out there that can be run against any particular client to
> see how they fare, but it'd be a really nice thing to have in the
> toolbox.
> 
> 
> > Both UI-View and Xastir permit radar data and also weather warning to be
> > displayed. This requires the APRS system to be connect to the Internet.
> > The data received from the Internet server is the APRS protocol.  Is
> > there a way that this data stream could be compromised ?
> 
> Since I'm an open-source kind'a guy, I'll respond on the public
> mailing list.  My first thought was to respond privately but it's
> probably for the betterment of the system if I don't.
> 
> Regarding the internet servers:  Yes, they can be compromised.
> Very few systems on the internet cannot.  In order to be truly
> secure you'd probably have to run VPN and some form of Kerberos
> authentication to authenticate the user, the client machine, and the
> remote machine.  The APRS-IS is not set up for that sort of
> authentication.
> 
> What we have is a callsign/password scheme with a published
> algorithm in C.  I've used that published algorithm directly in
> C-code, and have written another form of it in Perl.  It wasn't
> difficult.  I wouldn't consider our user authentication system
> secure, nor would the person who originally wrote it.
> 
> What I'm saying here is that I can claim to be anybody I wish, and
> can do that with software I have installed right here, right now, on
> this computer (and nearly every other computer I own).
> 
> The sites the radar/weather info come from could have their DNS
> highjacked as well, directing the queries to another system, but I
> don't know enough about that sort of thing to know how safe the
> average site may be against that.  I'm one of the white hats, not a
> black hat, plus not a security expert.  I know just enough to know
> what to be scared of.
> 
> 
> > Based on the information we received we will be able to address the
> > options and continue to use APRS to meet the NWS mission.
> 
> Good luck with that, and let our team of Xastir developers know what
> we can do to help.
> 
> Curt, one of 'dem Xastir guys...
> 
-- 
William Gery - KA2FNK


Regional Systems Manager
National Weather Service
Central Region Headquarters
7220 NW 101st Terrace
Kansas City, MO 64153-2371