As always, opinions in this post are solely those of my own, and not necessarily those of any organization I am currently affiliated with or have been in the past.
First posted 1/1/2020
Mrs. KD9CPB got me an AnyTone 578 for Christmas, and I couldn’t be happier with the radio! Reception off the condo balcony using the AnyTone is dramatically better than my BTEC UV25-X2, which has been repurposed for use in our car. Thanks to the Bluetooth PTT button + compatibility with any Bluetooth headset, I’m now checking into local UHF/VHF nets much more comfortably from the couch. Although the AnyTone 578 costs over double that of the BTEC UV25-X4, I’m having over double the fun with all the additional DMR talkgroups available on my local Chicagoland-CC network repeater thanks to WA9VGI and WD9BBE’s efforts:
My mini-technician-level-ham-shack near the condo balcony door now feels complete thanks to the AnyTone 578, a cheapo 13.8V power supply in the black bin, the Cushcraft AR-270 antenna on the balcony, and an SDRPlay Duo. I keep my notes & headset in that clipboard case ontop of the black bin, and the transceiver goes inside of the bin when I’m not playing radios. I’d recommend this AnyTone radio to anyone, and the ability to program it with built-in microUSB port is really nice. However, as a network security nerd, I feel it’s also my duty to be extra paranoid about the AnyTone radio programming software being a potential threat vector on your personal computer. It actually reminds me a lot of the Jeep Cherokee cybersecurity situation a few years back! With that being said, let’s investigate similarities between the AnyTone 578 radio and a mid-2010’s Jeep Cherokee:
- They both have a very passionate fanbase
- They are both known for quality & durability
- Their base models are reasonably priced, but fully loaded can get expensive
- They both have excellent social media marketing, support & sales teams
- They both have cybersecurity concerns when someone who’s really, really determined tries to do bad things
- They both may be made in China
- They both stand up well to high-end Japanese competitors (Think Jeep vs. Lexus SUV, or AnyTone vs. ICOM/Yaesu)
I’m sure many of you are coming here just for the juicy cybersecurity concern stuff, in which case you can safely scroll down to the “AnyTone Software” and Conclusion sections, but you have to promise me you’ll at least consider getting a ham license someday 🙂
For everyone else that wants the full story about why I love the AnyTone and why I think it’s the Jeep Cherokee of DMR/UHF/VHF, let’s start by diving into the AnyTone equivalent of your local Jeep dealership: Bridgecom Systems
Bridgecom Systems: My New Favorite Company YouTube Channel
After hearing the reception quality difference between the BTEC UV25-X4 and my SDRPlay Duo on VHF/UHF, I knew I wanted to buy a fancy new VHF/UHF transceiver. Only problem was I found myself in a state of analysis paralysis trying to decide which brand & model to chose, along with figuring out if I should get something with a digital mode! Like most hams, I’ve listened to opinions on local nets, read a lot of QST magazine, and did too much googling over what would be the best option. While researching all the different flavors of digital radio, DMR started to stand out as the best fit for me given my love for computer networks, open source and open standards. Flipping through QST magazine, Bridgecom’s DMR ads really stood out as a company that seems to know this stuff well. After visiting their website, I became sold on the AnyTone 578 as the choice for me:
At first I thought the Bridgecom product site was a little gimmickey, kind of like how us Chicagoans view Jeep commercials in mountainous terrain given we live in a flat-as-a-pancake region 🙂 However, as a huge fan of online learning courses, I really wanted to see how well they executed their promises about Bridgecom University. I must say, Bridgecom knocked it out of the park on their AnyTone courses! The production quality is surprisingly some of the best I’ve seen in the ham radio videography scene, the user experience is very smooth, and I learned a lot from their DMR courses. It looks to me like Bridgecom is doing everything right when it comes to their social media marketing campaigns, advertisements in QST, and producing YouTube videos that practically sell these AnyTone radios themselves:
I contacted Bridgecom support with a silly question about importing .CSV data from Repeaterbook, and got a really good answer back within 24 hours. Seems like most others are happy with their customer service, but the only recurring complaint I’ve noticed is some people think their Skybridge DMR setup is way too expensive considering you can build something similar with a Raspberry Pi on the cheap. Personally, I have absolutely no issues with Bridgecom’s pricing of their Skybridge hotspot; it costs a lot of money to have good tech support for such a complicated product, they deserve to make a good profit by filling this market demand. My only suggestion is that it would be great to see Bridgecom publicly donate a chunk of that Skybridge profit to the various open source projects that make their DMR hotspot possible, or hire a software engineer to contribute on these projects full-time. That being said, my personal opinion is the “we profit off open source projects, but don’t contribute much of anything in return” behavior is far too prevalent in today’s technology world. I won’t hold this against Bridgecom as it’s sadly a problem in many other technology organizations too.
The AnyTone radios themselves are manufactured by a company named QX-Tele based in China. While companies like Baofeng have found great success in mass producing the lowest-cost entry level UHF/VHF radios, QX-Tele’s strong suite appears to be selling a higher quality radio that’s still at a lower cost than comparable ICOM/Yaesu/Kenwood/Motorola models, yet a little more expensive than Baofeng. Although Bridgecom dominates the search results, there’s a handful of other sellers who will sell you an AnyTone 578 with fewer bells & whistles at a lower price. That being said, you don’t get access to Bridgecom support or their excellent training, so I wouldn’t recommend going down that path. It takes a bit of practice to get used to how the DMR timeslot & talkgroup configs are supposed to work, but that’s where the Bridgecom University videos add the most value.
Similarly to how people blow lots of time, money & effort on accessories for a Jeep, it’s very easy to do the same on the AnyTone 578 thanks to its Bluetooth capabilities! One of the first things I did was pair my beloved Sony WH-1000XM3 headphones. After a little tinkering with the speaker settings & PTT pairing, I was pleasantly surprised at how well this combination works. Even though it’s in our DNA as ham radio operators to start tinkering with new gear without reading manuals or watch training videos, I highly recommend watching the Bridgecom videos to pair the Bluetooth stuff. There’s a few little settings that are not super obvious without their guidance, like the PTT button pairing hiding in the bottom of the Bluetooth menu:
Overall I’m very impressed with the quality of the Anytone 578’s physical construction and quality of both transmitting & receiving radio signals. I really wish ICOM/Yaesu/Kenwood/Motorola made a similar 25+ watt mobile UHF/VHF/DMR radio that I could compare it to at a similar pricepoint, but I have not found such a radio out there. If you do, let me know in the comments! The Kenwood TM-V71A is one of the closest I’ve seen, but it doesn’t do DMR.
My only suggestion to AnyTone about their hardware is to make the default time zone GMT, or use the GPS location to correctly configure the local time zone, not the current default of GMT +8. I was expecting the radio’s time to get corrected to either local or GMT immediately after getting a good GPS signal, but instead the time was 8 hours ahead of GMT! I’m pretty sure the reason for this is AnyTone’s factory is likely in the GMT +8 time zone. This isn’t a big deal as you can permanently set GPS to enabled & time zone to your local one easily in the AnyTone software. However, there’s a lot more than just software to unpack in the .zip available on Bridgecom’s website…
I waited until I started Bridgecom University before installing the AnyTone software (aka AnyTone Customer Programming Software, or CPS) on my machine. When I unpacked the .zip file from their website, I opened up the “A read me first” folder and took a look at the changelog out of habit (reading changelogs on Cisco & Juniper network gear to see what I might get burned on is hard-coded into my soul!). The changelog contains some questionable use of English grammar, and even includes references to last year’s Chinese New Year holiday closure of the AnyTone factory. This is perfectly fine, plenty of software & documentation for US customers is written overseas nowadays. But just like phishing emails, every time I see poor grammar in software documentation, a red flag goes up in my brain about what other poor quality things might be happening inside the actual code, especially if it isn’t open source. After giving it a little thought, I decided to install AnyTone CPS anyways considering many Bridgecom customers have done the same. The installer launched, but only a few screens in I ran into another red flag, the install path:
You’re not very likely to have a functional hard drive mounted to D:\ on a Windows computer nowadays, so why did the AnyTone developers leave this as the default path instead of C:\Program Files\ or something similar? My two guesses are either a) they never got around to cleaning this up due to other priorities or b) they want people to install in a not-so-standard directory to avoid scheduled antimalware scans of C:\Program Files\. Neither of these guesses made me feel warm & fuzzy about AnyTone software, but I went ahead and installed it anyways, just like all the other Bridgecom customers. After programming in a few UHF/VHF nets and getting more comfortable with the user interface, I noticed a DMR talkgroup would get assigned by default to each Analog station, even though those are not used for Analog nets:
This isn’t an actual problem, but it feels a little sloppy, and it’s the third red flag I’ve found so far in the software that makes me question its quality assurance process. Now that I’m three strikes deep, I start wondering if there might be some code that isn’t in my best interest running within AnyTone CPS on my computer. I checked out the About page, and saw my fourth red flag: poor grammar and no mention of a company or support website.
Now all four of these red flags so far are simply red flags; I used AnyTone CPS to program the radio, and everything worked as expected, no cause for concern. I also looked through my firewall logs & verified no unexpected network traffic was being sent/received by the AnyTone CPS software. This made me feel pretty good, maybe I was just being over-paranoid! But then I went to upgrade the firmware, and a fifth red flag popped up from Windows User Account Control:
It appears instead of including the firmware update functionality in the AnyTone CPS software, they simply put a link to another program in the AnyTone CPS firmware update menu. This isn’t a big deal, but it’s now the fifth red flag on my PC that’s making me question what the heck else might be going on behind-the-scenes inside the AnyTone CPS code. At this point, I decided running this firmware updater with the overseas-based company referenced in the executable name was more risk than I was willing to take on my personal machine. I ended up uninstalling AnyTone CPS from my Windows 10 desktop, created a new Windows 10 virtual machine with no network connectivity, and installed AnyTone CPS on this isolated virtual machine. Fortunately the USB connectivity works great in VirtualBox for both reading & writing radio presets:
There’s plenty of good resources out on YouTube about how to get a Windows 10 VM running in VirtualBox, so I won’t write anything here about it. Keep in mind if you’re going to do this, you can use the virtual CD option to easily transfer data between the virtual machine, and select the USB Virtual ComPort to connect the radio into the VM like you see in the above screenshot. Just like the Jeep Cherokee’s cybersecurity woes a few years ago, you can workaround many risks running questionable software on critical infrastructure by completely walling it off from network connectivity. However, this is simply a workaround, what I’d really like is for the software to become less questionable by seeing the red flags get fixed.
Conclusion & Suggestions to anyone concerned about AnyTone CPS software
I think the Jeep Cherokee & AnyTone 578 are great products. They’ve both had some questionable software things come up over the years, but that doesn’t take away from the hardware being rock solid. You might be thinking “Hey Tom, why are you being so paranoid on the AnyTone software when you use your computer to program Baofeng radios too?” The answer is Baofeng avoids this problem entirely by recommending the open-source CHIRP project instead of writing their own code. I wish this was true for all amateur radios these days. Having all vendors pool their resources into one or two open source radio programming utilities in a similar way to what Firefox/Chromium have done in the web browser niche would be great! The catch is that as of today, CHIRP does not support the DMR settings required for something like an Anytone 578. While open source has its own problems regarding code quality + security, I feel that having a much larger set of eyeballs looking at + maintaining the code leads to better results for everyone.
Let me be abundantly clear: I’m concerned about all the red flags I’ve noticed while using AnyTone software might make it a perfect candidate for supply chain compromise, or as a method for getting ransomware onto the older OSes that ham radio operators tend to use. I have not found any evidence that today’s AnyTone CPS software has any shady stuff included, but I will continue to run it in my isolated VM just to be safe. I’m sure many people reading this will conclude I’m being a bit over-paranoid by confining AnyTone’s software in an isolated VM, and that’s totally fine, I probably would have thought the same a few months back. After seeing the insanity that’s happened with the Sunburst hack, CCleaner malware & NotPetya in recent years, I’m far less trusting of software supply chains than I used to be. Especially ones with closed-source code.
I’m very happy with my AnyTone 578 purchase, Bridgecom Systems, and all the work AnyTone has put into making their software fairly easy to use. Just like the software on the mid-2010’s Jeep Cherokee, I think there’s a bit of work that needs to be done for safety’s sake, and I sure hope that work happens. One last thing I want to mention about the Anytone CPS software is the only 1-star review on eham.net. I’d recommend checking out their full page, but I’ll post the specific review here to make it easier to find:
This reviewer bought up something I didn’t consider at first; accessibility. It’s no secret the ham radio community has many seniors, and not having radio software that supports the large fonts required for some of the most experienced ham operators feels a bit wrong in my opinion. On the bright side, all of the things I’m complaining about have fixes! Some of them are not cheap, but I sincerely hope these suggestions hit the ears of the folks who can do something about this software snafu. Let me know in the comments if I got it right or if something else needs to be said. Hope everyone has a safe & healthy new year, and keep on staying socially distant with DMR/VHF/UHF until we’re all vaccinated up 🙂
Update 7/18/2021: you can now use qdmr instead of the CPS software in many situations, see http://kd9cpb.com/qdmr for much more info about this
Suggestions for Ham Radio Operators using Anytone Software:
- Make sure all your operating system updates, anti-malware software and firewall are actually updated & running. I know many hams (myself included) tend to disable Windows Firewall during homelab projects. I’m of the opinion that if you’re going to run potentially untrusted ham radio programs, you need to be running Windows Firewall or a similar 3rd party product to prevent your personal data from leaking onto the internet.
- Don’t run potentially untrusted software on obsolete operating systems like Windows 7, unless you have no valuable data on the obsolete machine, and are ok with the risk of ransomware destroying your data.
- Ask your vendors about their software supply chain security, if they contribute to open source projects they’re reselling, and what kind of cybersecurity testing they perform. Most vendors aren’t going to like these questions, but if enough people ask, maybe they’ll take it more seriously and produce a whitepaper!
- Use common sense and don’t blindly ignore security warnings. If you don’t feel comfortable with a particular executable, try running it on an isolated virtual machine instead of on a computer with your sensitive personal data.
Suggestions for everyone that makes up the Anytone supply chain:
- Fix the typos, installation path of the installer, About page, and accessibility issues within AnyTone CPS. I understand these are small cosmetic problems, but these are also red flags for some cybersecurity professionals too.
- If possible, either open source AnyTone CPS or replace it with something like the CHIRP project. I understand it would be a lot of work to get CHIRP (or a fork of it) working with DMR, but this feels like it could be a big win for the DMR community, which gets you more DMR customers.
- If open sourcing is not possible, consider getting AnyTone CPS into the Microsoft Store or something similar to make the software supply chain more reputable. While vendors like Bridgecom are doing a great job at distributing software updates, their update servers can be vulnerable, just like the Solarwinds ones.
- Contribute either via monetary donation or via engineering resources towards the various DMR related open source projects like Pi-Star, Brandmeister, etc. This is great PR for your more computer-savvy customers, and you might get some GitHub users who know nothing about ham radio interested in becoming your customers too!
You’ve reached the end of the post! Click here to go back to the list of all Ham Radio posts.
You should also know I may earn commissions on qualifying Amazon purchases made via kd9cpb.com links to defray the cost of otherwise ad-free web hosting.