Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

How secure is SmartLink?

KC8P
KC8P Member ✭✭
edited June 2020 in SmartSDR for Windows
Is SmartLink secure? Yes. Connection to your radio is facilitated using a secure authentication process through a secure server using industry standard token passing. Communication and control messages between your radio and its client system (SmartSDR for Windows or Maestro, for example) occurs over a secured Internet communications channel using SSL/TLS encryption.

Can you disclose more specifics? It is a very generic response. What do you mean by "industry standards"? What level of encryption is used in SmartLink? AES? What is the key size 128 or 256? Is the transport layer TLS 1, 1.1 or 1.2?

Thank you
Mario
KC8P

Answers

  • Ken Hansen
    Ken Hansen Member ✭✭
    edited January 2019
    No offense, but I'm curious about the concern, are you expecting someone to try and hack into your radio and brute-force it to transmit? In a similar vein, what security levels do other remote control protocols/applications use - remotehams, HRD, RS-BA1, Kenwood applications, etc.? I suspect SmartLink bests them all, even at moderate levels of the cited technologies.
  • L.Kubis
    L.Kubis Member ✭✭
    edited August 2019
    Isn't connecting UPnP to the outside world making ones home system less secure?

    Lloyd
    VE3ERQ
  • Ken Hansen
    Ken Hansen Member ✭✭
    edited June 2018
    Upnp opens needed ports, so yes, it lowers the security versus having the ports closed, but it's a trade-off, and the idea is the software on those now-open ports can handle themselves properly under malicious attack. It opens an attack vector, but in theory it also manages any possible attacks.
  • Ross - K9COX
    Ross - K9COX Member ✭✭
    edited June 2020
    The Russians, Chinese, and N Koreans are listening to my all important QSO's
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    From the FAQ:

    "Connection to your radio is facilitated using a secure authentication process through a secure server using industry standard token passing.  Communication and control messages between your radio and its client system (SmartSDR for Windows or Maestro, for example) occurs over a secured Internet communications channel using SSL/TLS encryption. The transmit data that would go out on the air and received audio that was received off the air is not encrypted"

  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    There are some concerns with UPnP regarding rouge apps that when installed on your network will use this feature to expose other devices on your network.  UPnP is a feature found on just about every firewall/router you purchase and it is usually already turned on by default.  Skype will utilize UPnP if it is available.  

    To make SmartLink or any remote access process work, you have to open a port(s) on your firewall to the outside to initiate the connection.  You can do it manually or allow UPnP to do it automatically.

    As with any network security initiative, protection begins with good Internet usage habits (safe browsing, knowing the origin of programs you are installing, not falling prey to Phishing scams, etc..)
  • Gerry Jurrens
    Gerry Jurrens Member
    edited June 2020
    Tim, I have a Maestro on order. Can I specify that Smartlink be pre-loaded when it ships? Thank you.
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    To install SmartSDR 2.0 on the Maestro is a simple process; select the version from the available version screen and download if from the Internet. It only takes a few minutes
  • David Decoons, wo2x
    David Decoons, wo2x Member, Super Elmer Moderator
    edited July 2017
    Gerry, you got my number if you get stuck, but follow the Maestro SmartLink Quick Start Guide. (Tim posted a link to it yesterday). The guide is well written and walks you through each step.

    73 Dave wo2x
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited January 2019
    Mario - SmartLink supports TLS.  The default version is 1.2 but will negotiate down to 1.0 if necessary.  The encryption is using SHA-256
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Ken,

    I've spent last 20 years in IT and security concerns are important part of my job. I treat these things on professional and personal level seriously. These are standard questions to the vendor when you implementing ant IT solutions and exposing your network to the bad actors around, nothing extraordinary. 


  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Anyone can technically listen, as far as I know the audio is unencrypted.
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Great! Thanks for the details! Good job!
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    If they intercept the VITA-49 stream and can decode it, yes they can technically "listen", but that is a tall order and it provides no benefits as your RF transmissions are already unencrypted; all you need is a radio receiver and tune into the correct frequency.
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Wow! It seems to be a solid standard for SDR architecture!

    Tim,

    Do you know what is the algorithm used to compress the audio stream?

    Must be well compressed giving the minimum requirements of 0.5 Mb/s up and down.

    I see on LAN the SmartSDR consumes about 2 Mb/s and DAX component about 10 Mb/s with just one RX.
     
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    We are using the Opus codec.

    To achieve the low bandwidth minimum, you have to request less display data from the radio, which constitutes a majority of the VITA-49 payload.  You do this by reducing the frame rates of the panadapter/waterfall displays and using only one panadapter.  SmartLink has a feature that before you connect to a radio, you can request a low bandwidth connection that will make these settings for you automatically.  In some cases where the Internet bandwidth is very low, too much data can prevent SmartLink from connecting or if you are on a metered wireless plan, consume your bandwidth in short order.

    We are planning on doing additional bandwidth optimizations to SmartLink after 2.0 is released.  This will allow us to better characterize the issues and come up with the right solutions.
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Again, appreciate it! Very informative to anyone considering 2.0

    In my case the radio/server side is not an issue, I can enjoy 90 Mb/s down and 12 Mb/s up

    Thank you!

  • Ken Hansen
    Ken Hansen Member ✭✭
    edited July 2017
    Tim - just curious, will there be a 'flying blind' mode with no panadapter to really save on bandwidth? This could be implemented as a 'freeze' function once a qso is started, or as a 'traditional' VFO display option... I think a zero panadapter for low-speed links could be a popular option, esp for the latte-sipping, rag-chewing, remote operator!
  • David Decoons, wo2x
    David Decoons, wo2x Member, Super Elmer Moderator
    edited July 2017

    You could just put the slider for the panadapter FPS and waterfall refresh rate all the way to the left, which will be the lowest BW setting. No way to completely turn off the display.


    Dave wo2x

  • Ken Hansen
    Ken Hansen Member ✭✭
    edited July 2017
    K8CP - well I've got 21 years in IT, and I have seen many people get very excited about security where they really needn't worry do much, like I said, I was 'curious' about what was driving your concern.

    IMHO the technologies employed, if only implemented at lowest protection levels suffice for most personal applications.

    I also asked about what other remote operation software offers as far as security - I suspect Flex is well beyond what we would consider the industry standard as employed by the other software packages I mentioned.
  • Varistor
    Varistor Member ✭✭
    edited July 2017
    SHA-256 is not an encryption algorithm, it is only for hashing.

    With respect to security, what kind of independent third party testing has been done against the SmartLink backend infrastructure?
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    Sounds good! I was just curious how Flex handles it and I'm greatful to get the answer.
  • KC8P
    KC8P Member ✭✭
    edited July 2017
    N2WQ - you are absolutely correct. Likely, they use AES for encryption, it is a pretty much standard.

    Question about the backend infrastructure is also a good question, since all credentials will be stored there.
  • Steve-N5AC
    Steve-N5AC Community Manager admin
    edited February 2018
    We're working on a security white paper which will detail how SmartLink works and the protocols in use.  We've been busy preparing the release and just haven't had time to finish the paper, but hope to do so soon.

    Security is a rather complicated topic and there are lots of ways to do it well and do it poorly.  Having information about a particular protocol we used really doesn't tell you a lot.  For example, someone could use a highly secure connection between you and a site used to purchase something with a credit card.  The owner of the website could brag all day about using the latest security, but then store your credit card in a database and then leave the database open to the world (this is a regular occurrence on the Internet).  You really need to understand the whole picture and be able to ask questions in order to perform an accurate security audit.

    In general, no system is ever completely secure and work needs to be conducted over time to ensure a high level of security.  For example, take a look at the issues fixed in the latest version of iOS from Apple: https://support.apple.com/en-us/HT207923.  What I can tell you is that security was a major goal of SmartLink and we've implemented what we believe are good protocols in a manner that is secure (we  did look at how competitive remote radio access products are built and were stunned at the lack of good security in most).  We'll be setting up a security email alias that allows anyone that has read our white paper and has concerns to voice those and help us with any issues that arise and we invite anyone that is well versed in Internet security to give our white paper a read and let us know if we've missed anything.


  • Varistor
    Varistor Member ✭✭
    edited July 2017
    What would be very helpful is if you share your Threat Model. That is, what specific threat scenarios you are addressing and how. Threat scenarios drive requirements, development, and testing. A very simple example: the threat of account takeovers is mitigated thru multi-factor authentication. Solutions like encryption are the bare minimum. What's interesting are your threat scenarios/model.
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    The credentials are not stored on our server  We use Auth0.
  • Steve K9ZW
    Steve K9ZW Member ✭✭✭
    edited July 2017
    Given that both FlexRadio and its Alphas both have this long on their minds, is there any need to expose threats and/or countermeasures in a public forum?

    The same backend is used for many other secure (enough) transactions.

    This is also an area that if any of us notices a need to address security that our ethical must be to directly contact FRS rather than post.

    If you have been in this area, you know the drill.

    73

    Steve
    K9ZW
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited July 2017
    As Steve noted, we will address the security infrastructure of SmartLink to the extent that it will not compromise the integrity of the system in an upcoming white paper.  Thank you. 

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.