Foundations of Amateur Radio

The other day I took delivery of a shiny new circuit board populated with components and connectors. Knowing me, you'd assume that I'd been the recipient of some kind of software defined radio gadget and you'd be right.

One of the connectors was a micro USB socket, intended to be used to plug the hardware into a computer and to drive the circuit board.

The board came to me by way of a friend who saw it online, waxed lyrical about it and for less than $35, who could begrudge this exploration into a new toy?

Once it arrived, it sat on my shelf for a few weeks, enticingly packed in an anti-static bag, transparent enough to see the device inside, taunting me to open it up, plug it in and have some fun.

Today I opened it up and started researching my new gadget. It didn't come with any user manual, no URL, no model number, but it did have a callsign on it, so I started there. I'll note that I'm not going to repeat that callsign here for a number of reasons, which I'll get to.

My exploration discovered a site where this device was being sold. It also unearthed several international amateur radio forums describing what appeared to be this device, including circuit diagrams and specifications.

What I found harder to discover was software.

It appears that I have a clone of a device that may still be manufactured, or not, I cannot tell. I found some example code on github for the original hardware, but it seemed to require other libraries, but didn't actually specify those anywhere.

I opened up an online translation tool and started translating some of the wording on the circuit board in an attempt to discover just what information was written on the board.

The wording was clearly from a different culture, a different perspective and while it claims to come from a maker space that appears to promote women, it also contained a militaristic phrase which caused me to pause.

In that moment I came to a sudden and abrupt realisation.

How do I know what this piece of hardware actually does?

How do I know if when I plug it into the first available USB socket on my computer, it won't install anything nefarious, start connecting to the internet and start doing something unexpected? There's enough hardware on the circuit board to do that and even if the labels on the components tell me that they are a specific integrated circuit, how do I know that it actually is that chip?

The chips on this circuit appear to have a lot more connectivity than a simple receiver might warrant. One has 40 pins, the other 32. If the label is accurate, the data sheet for one of the chips indicates that it includes an 8-bit micro controller among its various functions.

I'll admit that I'm coming from an IT security background at this and you are free to argue that I'm being paranoid, but does that make me wrong?

I know that I don't know enough about this particular board or its origins that for now it's going to remain inside its anti-static bag, taunting me with the possibilities of the connectors it offers, but until I know more about the provenance of this gadget, it's going nowhere near any of my computers.

If you have suggestions on how to proceed, don't be shy. I did briefly consider plugging it into a Pi, but how would I know if it updated the firmware, forever compromising that Pi?

Don't get me wrong, I'm not saying that this board does any of this. My point is around discovering if it does, or not, one way or another.

No doubt some might think I'm overly suspicious and there is truth in that, but in my profession it pays to be vigilant. The underlying issue is that of validation. There's anti-virus software available to deal with malicious code, but how do you do such a thing for malicious hardware?

Again, I'm not saying that this circuit board is doing anything other than being a USB connected receiver, but how would you know? How would you verify that? And how do we in the amateur community weed out the nefarious tools from the legitimate ones?

I'll leave you with one thought. When was the last time you plugged your phone into a free charger on the bus or at the airport? How do you know that your phone wasn't hacked?

I'm Onno VK6FLAB