“Baofeng Radio Remote Commands”?
There’s a consistent question that I get, either in emails or in class, about whether the Baofeng radios have any sort of ‘exploitable flaw’: ie, a remote kill switch from the Chinese. This is something I addressed in Radio Contra Episode 41, stating in short that, no, there’s not.
I’ve got an OUTSTANDING post from a member over at the Brushbeater forum, diving much deeper into the issue than I did. And he’s spot on.
Evening all,
First, let me say that I truly enjoy RadioContra. As I stated in my first thread, I don’t have the military background that many here do, so listening to the podcasts and reading through American Partisan is a learning opportunity for me for that. I do enjoy the articles and podcasts, especially the communications topics around a military viewpoint or approach.
If I ramble, forgive me, I come from the technical above grammar side of life…
In Episode 41, around the 54 minute mark, NC Scout mentions a letter about the possibility of tracking and remotely killing the Baofeng radios. I can shed some light on this topic, as I have not only done full teardowns of them, but also a full Reverse Engineering job on quite a few of them. They do not have any “tracking” devices or even firmware in their radios, but they do have a few things in SOME of the models that could be a problem to users that want guaranteed control of their radios at all times. The first of which is a “Stun, Kill, Revive” function that allows another person to remotely “Stun” (remove the ability to transmit, but the radio still can receive whatever channel it was on before the “Stun” code was sent. They can also send a “Kill” command that stops the unit from transmitting OR receiving (at least putting any audio out, as the radio IS still listening for any different commands on that channel). The last command in the normal threesome is “Revive” where the other person to put that radio back into normal operation. These radios are actually used for commercial (business) use over in china, so they have a cloned (stole) a few of the major radio manufacturers “features” into their radios as almost everything in the radio is built into software instead of built as hardware in the radio. As such, one of the features they cloned is the “Stun, Kill, Revive” function of a lot of the Japanese commercial radios. And the commands are similar, grab the attention of the specific radio, or group of radios (DCS, CTCSS, DTMF Prefix…), and with one extra DTMF sequence, cause the remote radio(s) to “Stun, Kill, or Revive”. Some of the radios, like the tri-band UV-3X5 also have a “Monitor” command that allows you to remotely key up the transmit for 15 seconds to turn the radio into a room microphone, definitely not an OPSEC feature most want in a radio. Not to mention that 15 seconds of keying up that you cant control unless you pull the battery pack off, can lead to a quick DF fix on your position if your enemy is in your area, or flying around (think UAV based SDR).
Again, not all of the Baofengs have this (or some of the other interesting features, but many do, and it all depends on what firmware each radio was born with as to which features work and which ones don’t. Honestly, your best option to see if your Baofeng has them is to try them from another radio. I have at least a few dozen of most of the different versions of the Baofeng radios as well as most of the other chinese models that have come out. My main (non-SDR) radios are usually the main Japanese brands, but I do have a few others. Most of my equipment is SDR based, with most of that being my own designed and built equipment.
A LOT of people, including myself, LOVE using CHIRP to program the different radios they have. The issue is that Chirp does not get into all of the more “odd” features that most of these radios have, but sticks with the general features and programming the memory channels. That is all well and good if that is all you need, and most times it is. The issue is that you don’t get to see some of the more “interesting” features that are built into each specific radio. And a LOT of the chinese radios have different features for the same radio all based on what version of firmware is that exact radio is built on. Note: The Baofeng CPUs have their firmware built in at their creation and don’t have an option to reload or upgrade the radio, which is why you can brick the Baofengs if you use the wrong settings on some models in CHIRP and not be able to get them back with the normal programming cable and even the factory programming system. CHIRP IS getting better about a lot of these different firmware versions/revisions and CHIRP DOES have some of these features for the newer (more refined firmware) radios like the UV-3X5 (which does allow the modification of the Stun, Kill, Revive, Monitor (and other) remote functions).
A better description of the CHIRP UV-5X3 settings can be found here: baofengtech.com/wp-content/uploads/2020/08/Remote-Commands.pdf
The second topic is one of the tracking issue with not just the Baofeng radios, but all transmitters. While the Baofeng radios don’t have any designated “tracking” system in them, they DO have a rather “filthy” transmit, so transmitter fingerprinting is VERY effective with these radios, and should always be kept in mind if you are worried about SIGINT/ELINT being used against you. While terrestrial reception and fingerprinting is limited by line of sight signal propagation to the user’s radio horizon, you all need to know that there are at least two dozen satellite systems that monitor the HF through SHF (and a few that do higher frequencies) around the world. Most of these satellite constellations are military/government, but there are more than a few that are commercial and the data that they collect and the recordings and the True-Range Multilateration (TR-MLAT) data that they collect is available to ANYONE with a large checkbook. Information sells, but who is buying?
Two of the bigger companies to look into are:
Hawkeye360 (and a few global users of Hawkeye360 also use the Carbonite and Capella visual satellites to get eyes on their targets QUICKLY)
Kleos (Works alongside Spire for Worldwide AIS and SAR beacon signals but is NOT limited to those frequencies)
(and you might want to study what the bolded companies and their satellites have the capability to do…)
Loup
Tons of top-tier information in there- a caliber of work you don’t find anywhere else. We’re in the genesis of the forum and already it’s crushing it. Come join us.
Share This Story, Choose Your Platform!
16 Comments
Comments are closed.
5
Checkout Loupgarou’s second post on the forum. He expands on this subject more. I’ve got several questions that have left me wanting more. Such a tease! I’m going to be following this thread.
This is an excellent commentary mentioning several vulnerabilities I hadn’t seen mentioned here before or in the podcasts. To summarize some of the main points:
-Baofeng radios will generally have the ability to decode strings of tones (CTCSS, DTMF, etc.) and then have firmware execute actions in response. This depends on the radio firmware providing for that functionality as programmed at the factory. As mentioned by the author, these actions could include ‘hot mic’-ing the radio into a bug!
-according to author’s comments, the current ‘simple’ Baofeng dual band FM HTs aren’t architecturally capable of over-the-air firmware updates. In the past you could of said over-the-air programming required designed-in hardware features (that is, actual components on the printed circuit board to provide that firmware programming feature), but this becomes hazier with system-on-a-chip components that incorporate ever more of both the analog and digital circuitry on a single self-contained chip. This could apply to an SDR where almost all functionality (down/up conversion, amplification, demodulation, user interface, etc.) is incorporated on a single chip. This means it might be yet more difficult to examine the radio (reverse engineer) and know whether it can be manipulated via over-the-air commands. It’s also unlikely you could disassemble and examine the firmware as protection features have long been used on flash memory (for storing firmware) and are guaranteed to be present in military equipment and likely present in commercial equipment. Keep in mind APCO25 public safety radios or maybe higher-end DMR HTs definitely do have over-the-air programming capability allowing provisioning, loading encryption keys, and features to be added/removed.
-radio emissions can be ‘fingerprinted’ based on their unique spurious emissions (stuff in signal that isn’t needed but occurs because of inherent non-idealities in components and the design). Better radios will nearly always have lower spurious emissions (this improves signal-to-noise ratio in signal and transmit power efficiency)
-assume that low earth orbit sigint satellites, both us gov and commercial (something like ~400 miles up rather than the 25000 miles of a geosynchronous satellite) can intercept even your 5W Baofeng. This is another reason to use directional antennas and the lowest power required for a link.
Some stuff to add:
-us gov (specifically NSA but probably other agencies as well) has long had the capability to intercept shipped packages and then modify the shipped device. With the resources of the us gov it is trivially easy to modify the HTs firmware (solder on chip with new firmware or make a simple pin fixture to ‘poke’ into the chip’s programming interface) or just exchange with an already modified radio. If the Baofengs are used by any adversaries we fight overseas, it’s likely the us gov already has a ‘library’ of attacks on tap. Presumably you’d have to be an important enough target for this capability to be used on you, but who knows?
-digitally networked devices generally have uniquely identifiable (as in unique on the whole planet!) ID(s), whether this is a cell phone, Ethernet, or WiFi radio. I assume this is true of DMRs (even if it’s not from the factory, you could probably modify firmware to introduce this ‘feature’) but don’t know this for a fact. This might be a reason to stick with simpler analog equipment. Keep in the nominally unique MAC addresses used on wired Ethernet or WiFi routers are easily spoofed. With more or less difficulty, other digital IDs could be spoofed as well. I imagine high end equipment could use a public key encryption scheme for ID, which would be very difficult to spoof.
-NSA has long had capability to ‘voice print’ audio. They’ve worked on speech analysis for many decades and the capability came to fruition in the 1990s with better algorithms and much more powerful computers. I would just assume this capability is possibly available to a us gov sponsored adversary. Use more anonymized message formats to avoid this capability.
Love it!
“-NSA has long had capability to ‘voice print’ audio. They’ve worked on speech analysis for many decades and the capability came to fruition in the 1990s…”
Just imagine what they’ve done with all the people blabbing on their cellular networks. I’m sure they already have everyone’s “number”. All that data stored forever just waiting to be used when it’s convenient.
They would have it just from you talking on your normal landline phone in the last 30-40 years.
4.5
sending this out to all my fellow hams and preppers who may have that model. Not a good thing to have setup for sure. Thanks for sharing this. A good reason why we shouldn’t just trust radio manufactures and should check everything we can,
Another comms security consideration: one of NCScout’s podcasts touched on the subject of built-in GPS on radios. Unless you have a means of adding a ‘hard’ on/off power switch to the GPS receiver, or something of equivalent effectiveness like disconnecting the GPS data output to the radio, I would consider not trusting any software enable/disable feature you find in the radio’s menu. The setting could be overridden by firmware and you wouldn’t know that you’re now carrying an involuntary location beacon! Something like a Yaesu VX-6R might avoid several potential security vulnerabilities. I assume it was never designed as a public safety radio and has no terrible “Stun, Kill, Revive” features as Loupgarou discusses above. It should also have lower spurious emissions than a Baofeng and has no built-in GPS. Over-the-air firmware updates aren’t an option (neither are they on a UV-5R).
So correct me if I’m wrong, as someone who is just now looking to set up comms:
I’d have to be a dumbass to buy Baofengs given the Chinese firmware with built in GPS tracking – correct?
They do not have GPS tracking. FWIW I love them, especially considering the cost and simplicity.
Baofengs have many purposes, including just listening, even if you werent transmitting on them. Or handing out as emergency radios for some impromptu group just trying to get where. I’d think if youre more focused on just surviving like me, your profile shouldn’t matter, if people were planning something not entirely legal, there would be theoretical risks of identifying individual transmitters and people. GPS or not, direction finding for VHF transmitters is not too difficult so even having no GPS doesn’t mean youre safe. Plus simply learning how to use ham radio in the first place including things like antenna physics matters, even if later you were to use a different radio for something important.
With what people spend on gear needing to use a $25 baofeng instead of a $100-200 more compact more capable Yaesu with it’s added digital modes and such probably is not the end of the world. Consider it for learning ham radio, backups, emergencies, more than your sole exclusive only tool for the job of communication.
I have a number of Baofeng HTs as well and like them. I would just take to heart the potential security vulnerabilities discussed here. If you’re in a high stakes situation and don’t know for a fact that your firmware cannot remotely hot mic the radio, maybe shut off the power. The Baofeng rotary power switch/volume feels like a standard ‘hard’ on/off switch with potentiometer, but I would confirm this, too, by examining it or asking a credible source. It would be very unusual for this to be a ‘soft’ (firmware monitored) power switch, however. Don’t ever fully trust ‘soft’ on/off controls like the type that are universally present on tablets, smart phones, and old flip phones, too. These still have low power, always-on circuitry that could potentially wake up the device at any time.
My Baufeng has a very handy “hard off” button. It’s on the top rear, and ejects the battery. That’s why we have all those extra pockets.
I went to the link in the last part of the article and was shown:
In accordance with Section 25(a) of the Proboards terms of service this forum has been taken offline
Just an FYI.
Yeah, thank you.
There’s a whole post about what happened and a podcast as well.