Hello Friends,

Its been a while and this topic has been surfaced before here on the site, however I have never really dived into it before.  As a working and certified security professional, I felt it was time to share some thoughts on the topic.

Today we will focus specifically on radio network security.  With the advent of Software Defined Radio and networked radio comes new dangers as well.  Because Cybersecurity can be so complex to understand I will attempt to put this all in very layman Joe Ham terms.  Afterall many view security as a nuisance until they fall victim.

The internet is literally full of bots.  A bot is essentially a program running on a hackers computing infrastructure (or even your own computer if you have been infiltrated) with the intent to perform reconnaissance (looking for vulnerabilities).  Some bots take action on the vulnerabilities and attempt to take command and control of whatever device they find.  A vulnerability is a known weakenss that can be exploited by a bad actor.   A bad actor is a threat.  The actors likelyhood of exploiting your vulnerability represents risk.

It is not simply other computers that can be used as bots or spies.  It can be baby monitors, microwave ovens, basically any internet connected device.  Regretfully the vast majority of these devices have been engineered with little to no security thus making them highly vulnerable targets.   Estimates project that over 1/4th of the traffic on the internet today is made up of BOTS.

Once a BOT establishes a foothold in a network such as a the ones like a business or your home, it can use that access to perform even more reconnaissance since the device it has taken over is more often than not a trusted device in your network.  There really is no limit to what can happen from there.  Ransomware on TV’s, Tablets, Computers, ect.   Sadly these attacks can be politically motivated.  This type of control can lay dormant on your network infecting and waiting from nation state bad actors to trigger mass chaos.

Yes, I know doom and gloom sounds horrible and often unrealistic, however, let me tell you why by example it can be so very real in todays world.  Lets say Russia or China wants to completely disrupt America as a show of force and punishment for sanctions. 

How would you feel if suddenly most of the devices in your modern home were bricked?  Bricked means that the bad actor simply overwrites the core operating system in your device to render it completely useless.  It can even make factory resetting the device impossible.  IE, it can make all of it trash and worthless.  They can corrupt your thermostate, alarm systems, ect.  So much of todays homes are network connected, a trememndous amount of damage to a home could be perpetuated through the internet.

So now that your devices are dead, network connectivity dead and everyone else’s, homes, businesses are largely dead that bad actor who has stolen 100’s of millions of users credentials uses them in a coordinated banking attack and drains in mass scale personal and business banking accounts.  So I will stop there by saying you can write the rest of the story with power grids, water infrastructure, ect all being crippled and resulting in isolation, inability to know what is happening and then mass hysteria.

For Joe Ham, perhaps you only care about how it impacts your pursuit of happiness in the ham radio space.  Just like you might protect yourself from lighting ruining your equipment, you might want to make an investment in time and some money to reduce your risk of a damaging cyber incident.  Keep in mind it may not be your radio they are after, it may simply be that your radio uses vulnerable parts that the hacker or bot finds vulnerabilities inside and exploits.

What can you do about it is the question now that you know how real it is and why you should care.

The cybersecurity CIA triad is a great first concept to grapple with. 

Above we see the CIA Triad.  You maintain availability through confidentiality and integrity.  First off it starts with yourself.  You must be aware of the risks that exist out in the world.  Punishing malware is delivered in a multitude of ways.  Ads on the internet (Click Bait) E-mails with links disguised as a trusted source and of course weakness in your network and device security.  We don’t have time to discuss all of this today, so lets focus on vulnerabilities and in general with our network.  For the human element, strive to learn more about cyber security.  I will post some links for creating heightened awareness at the throughout this post.

https://www.youtube.com/watch?v=11_Hp5Dvx5E

Let’s look at a typical hams home network.

Typical Unsecured home nework.

You have an internet provider that provides a box, it has integrated WIFI, and typically a built in switch where you can connect devices via LAN cabling.  Perhaps you’re like me and your ham station doesn’t sit in the best WIFI location, so you run a LAN cable to your station, put in a switch and connect up your computer and radio(s) as depicted.  The switch facilitates internal communications and internet traffic goes out the ISP’s router.  Regretfully these ISP routers more often than not provide minimal security.  While you probably have Antivirus on your computer, maybe even your phones and tablet if your savvy, your devices often have nothing and for all practical purposes are fully exposed to the internet. 

What you may not realize as well is this, a lot of modern radios use an industrial operating system such as UNIX or POSIX, Android, and some lite Windows OS sometimes.  Hackers are working daily exploiting these operating systems as they are easily accessible and easily hacked.  In fact, there are BOTS that are already programmed to exploit these technologies and they are out by the millions scouring the internet looking for these devices to establish a foothold or in some cases just maliciously harass people.

What else can you do then?

Let’s look at a more secure setup, this is where it gets deeper so if you need a cup of coffee, now is the time to take a break.

We are going to talk about adding a firewall and creating isolation between the different types of devices in your home and shack.

This also includes some switches and a way to enhance WIFI and WIFI Security.  So buckle up, here we go!

Let’s discuss our goals first;

Performance – we want the best possible speeds and maintain a highly available setup.

Secure – We want to keep the bad guys out but keep the setup clean and easy to maintain.

The first step is to add a firewall and attach it to your Modem/Router.  The choice of a firewalls is something we will discuss as you see how we deploy it here.

In this example I am using a small business grade firewall.  What do we want to consider when purchasing your firewall?

• Does it provide intrusion protection?
• What types of protection does it provide?
• Does the company maintain its protection with fast updates?
• What speeds does it support when its in its full protection mode?
• How will it be setup and maintained – IE is there readily available support and education?
• When is its projected to go end of life and become unsupported?
• How much does it cost and what is the cost of subscriptions to protection services?
• What country is it made in and supported by?
• Can you configure it to support your needs?

Do your research here and make sure you understand all the implications as this will be a substantial investment and it is easy to get burned.  Sticking with a known reputable vendor is more expensive but often the best way to go.  You get what you pay for on these for the most part with reputable known vendors.  Many of the prosumer models don’t have sufficient configuration capability.  A few brands you can explore are Paloa Alto, Fortinet, Cisco as well as others.

When you have chosen your firewall you will install it between your ISP (Internet Service Provider) modem/router and the entirety of your network.  This means that the ISP supplied WIFI should NOT be used because it is on the wrong side of your firewall.  This means buying a WIFI router and potentially extenders depending on your home.  I have 3 floors in my home so I have a total of 5 WIFI access points.  They are in a mesh setup and help each other keep a strong signal inside the home.

One unfortunate consequence of adding a firewall is unless you’re really willing to spend some money, in full protection mode it will drop your speed down.  My firewall for example drops my speeds down to 300-800Mbs verses the full 1-2Gbs capability of my Fiber Connection.  A consideration for you as you buy your Firewall and also decide what ISP speed you really need.

Each Firewall (FW) is different in how it is administered so we will discuss high level concepts.  Within your home network it is best to keep isolation between certain device types.  Here is an example of how you might divide these up.

VLANS – Virtual Networks is a way to divide up traffic on your network and provide potential isolation between traffic types.  There are several complexities you could get into, however, I am going to take the simple approach here as a way for you to get started.

Some of this segmentation you will do with Wireless SSID’s.  Remember, if possible hide all your SSID’s on your network.  You can keep a chart for what you assigned to what in case you need to make changes or add new devices.  Its not smart to openly allow visibility to these as anyone parked outside or near to your home could potentially join and hack your home network.  The less you reveal the more secure you become.  Password protect all WIFI SSIDs.  If you don’t its like leaving your front door unlocked on your home.

If all you need is wireless then a lot of this can be simplified.  The traffic comes into your modem/router, to your Firewall, to your wireless network and goes to the proper device network.  You can activate full firewall protection and have some semblance of safety.

Let’s look at our home network again;

You will notice a dotted line between the Firewall and the G5 Switch.  What is being done here is the radios are put on their own dedicated switch.  A second network connection from each controller PC is also connected to that same switch.  This network has no internet access and is not controlled by the Firewall.  This means it will run at the switch speed 1gb.  The PC Firewall controls access to the pc from the radios and other PC’s if you have them. Using the switch this way you can get very good performance between your radios and PC’s without exposing them.  If you have 1 radio and one PC, a switch realty isn’t needed, just connect the radio to a lan port directly on your PC.  Remember you can buy USB to ethernet adapters if you don’t have the ability to add a second port to your PC directly.  These work very well if you choose a good brand.

Keep in mind though, if you to remotely access your radio from the internet it will have to have a path and isolating it wont work.  Opening up your radio to the internet poses several added risks.  If you’re going to do it PC to PC via VPN then the addition of a VPN adds a new attack vector for hackers to exploit. Despite advertisement that VPNs secure you providing the illusion of safety, many horrific hacks have come from VPN vulnerabilities.  To this end, use a reputable VPN service and or Firewall that regularly maintains their VPN software.  If you are just hanging your radio off your ISP modem, well, uhmmm, its like making yourself open to anyone that wants to violate you.

On a quick side bar I would like to elaborate a little more on how the wireless side can also have dedicated switches.  A lot of routers today offer an uplink connection.  I use these where I have clusters of IOT devices such as entertainment centers with network connections on streaming devices.  It makes it easy to connect them all and reduces the number of devices connecting to your Wi-Fi network.

Keep in mind that often the goal can be as simple as gaining persistent access and monitoring all your internal activity, laying in wait for an opportunity to really get something good to exploit you.

As far as laptops, phones, or any device with a camera, make sure you cover the camera when not in use.  Hackers commonly exploit these devices to watch people and gain compromising video or audio.  Yes, its truly become an awful world on the internet.

Some of the pros and cons I have discussed above with having the radios isolated really need to be evaluated in terms of risk.  Remember, BOTs are looking and they explore all IP Addresses.  BOTS likely look at your home network every hour if you add them all up.  If you have a firewall you can potentially start to see this activity.  Again, its not about you, its about your network and the devices it can see and then exploit, then what they do next depending on what they find.

The isolated network you can create for your PC’s and radios can also be used for special communications.  I use a KVM solution that allows me to seamlessly share my Keyboard with multiple PCs in real time.  The isolated network is perfect for this. My network attached storage only resides on that network.

A few more principal’s of security I would like to share fall along the lines of reducing your risk.

• Don’t leave devices on unless they need to be on 24x7. The less they are on, the less likely they are to be exploited. 
• Make sure you make backups that are not online, many attackers tank your backups if they are available before they drop the ransomware demands. No backup means, if there is something you value, they have more leverage on you to make you pay. 
• Windows on its own has 64000 ports available, don’t eave ports open on your firewall unless you really need. Think of each port as a door to your world.  You really don’t want to have to keep an eye on all 64K doors 24x7.

Here are some of the most common ones:

If you can get by with the ones in green, its all I recommend you keep open on your firewall.  If you have a PC based E-mail such as Outlook, you may need others.  If you use web mail then you won’t need others.  A good firewall will be great at watching for malicious traffic on these few ports that are opened so you can browse the internet securely.

While I could go on and on about security, we could rapidly get out of the realm of Joe Ham, so we will leave it at this.  Never grant more access than is needed.  Reduce exposure time by leaving unused devices off if you can.  Protect backups of your most valuable data off-line.  I strongly advise you look into getting a serious firewall.  Make sure your PC’s, Macs, tablets, phones have top notch endpoint protection on them for malware, ransomware, virus and intrusion protection.  Look into identity and credit protection.  Seriously make your passwords much more difficult by using odd phrases you can remember and changing some letters to numbers like using a 3 in place of an E, or using punctuation in the middle some where.  Yu^^myLo!!iPops# is an example.  Moving from 8 character or less to 14 characters or more radically improves the length of time it takes to hack your password from minutes to years.  Change them often as well and try your best to not use them in multiple places.  If they get one and you have used it everywhere then they will have access to your everywhere.

That’s it for this time my friends!

 73 de

NI0Z