Full Report
JS8 is a protocol for communicating over vast differences using radio. It's a text based protocol for chat. The protocol is operates at 7MHz-14MHz, which is extremely low. At these frequencies, the E and F layers of the ionosphere reflect the radio signals. This means that line-of-sight is not important for us! Point to point can go from one spot on earth to another, which is truly amazing. Jesse was looking at a website that parsed all JS8 traffic and displayed it. The message can literally contain anything after the callsign. So, they decided to add an HTML injection payload to their JS8 payload and it caused modification of the page! Since the page has no authentication, what could we do that would be useful? Cosmetic change are interesting... logging requests and where the users are located... Even with this, the stored HTML injection has some impact. Overall, a classic vulnerability found in a very bizarre place.
Analysis Summary
# Vulnerability: Stored HTML Injection in JS8Call Traffic Parsers
## CVE Details
- **CVE ID**: Not Assigned (N/A)
- **CVSS Score**: Estimated 5.4 (Medium) - `CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N`
- **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products**: Web-based JS8Call traffic aggregators and dashboards (e.g., sites parsing traffic from the PSK Reporter network or local JS8Call logs).
- **Versions**: All versions lacking input sanitization on the message field.
- **Configurations**: Web applications that automatically display captured RF (Radio Frequency) traffic without escaping HTML characters.
## Vulnerability Description
The JS8 protocol is a low-frequency (7MHz-14MHz) digital text mode used in amateur radio. It allows for free-form text transmission following a station callsign. The vulnerability exists in the **web-based presentation layer** of third-party monitoring tools. Because these websites assume the radio traffic consists of plain text, they may fail to sanitize the data before rendering it in a browser. An attacker can transmit a radio signal containing HTML tags (e.g., `<b>`, `<img>`, or `<script>`) which, once picked up by a gateway and uploaded to the internet, is rendered as active code on the monitoring website.
## Exploitation
- **Status**: PoC available (Demonstrated by Jesse Victors).
- **Complexity**: Low (Requires basic knowledge of JS8Call and HTML).
- **Attack Vector**: Adjacent (Requires a radio transmitter to broadcast the payload within range of a listening gateway).
## Impact
- **Confidentiality**: Low (Can be used to log visitor IP addresses or locations via remote image loads).
- **Integrity**: Medium (Allows for unauthorized modification of the webpage's appearance/content).
- **Availability**: None (Typically does not result in a Denial of Service).
## Remediation
### Patches
- Developers of JS8 monitoring websites should implement **Output Encoding** (e.g., converting `<` to `<`) for all message data before it is displayed on the UI.
### Workarounds
- **End-users**: Use browser extensions like NoScript to block execution of scripts or third-party requests on unencrypted/unauthenticated amateur radio dashboards.
- **Site Operators**: Implement a strict Content Security Policy (CSP) to prevent the loading of external resources via injected tags.
## Detection
- **Indicators of Compromise**: Presence of HTML-encoded characters or `<script>` tags within the "Message" column of JS8 traffic logs.
- **Detection Methods**: Manual inspection of the JS8 packet stream for non-alphanumeric characters or common injection patterns (e.g., `<img src=x onerror=...>`).
## References
- HackerNoon Article (Exploit breakdown): [https://hackernoon.com/attacks-over-the-air-phreaking-html-injection](https://hackernoon.com/attacks-over-the-air-phreaking-html-injection)
- JS8Call Protocol Information: [http://js8call.com/](http://js8call.com/)