DECT (Phone) Interception made Easy

Posted: April 15, 2010 in DECT
Tags: , , , , , , , ,

Preface:

More than a year ago people done serious research on the topic of the DECT security and found significant flaws but since then nothing changed dramatically in the way the industry implements DECT. I guess most people are probably not fully aware of that DECTs insecurity could affect them. In April 2010 experts are now able to recover the DECT standard Cipher key [1,8,9]. Please note that I have done my analysis when the topic was just raised and it’s quite likely that some of the OS specific issues have changed in the meantime.

What’s it all about:

Remember the good old days when people made their calls from a traditional landline and had their tripping hazard all inclusive:

These days people usually got cordless phones which are more convenient but unfortunatelly insecure in utilizing the DECT (Digital Enhanced Cordless Telecommunications) protocol standard as demonstrated [1],[2] by members of the CCC-Chaos Computer Club at the 25C3 Chaos Communication Congress . The hack (The Register reported) is not limited to DECT based phone call eavesdropping, see listed DECT implementations but a strong warning that listening to phonecalls without prior permission is illegal, e.g in Germany even the attempt is punishable up to five years .

DECT implementations:

  • Cordless phones
  • Wireless ISDN access
  • Babyphones
  • Emergency calls
  • Remotely controllable door openers
  • Cordless Credit card terminals (Will probably become less popular in near future)
  • Traffic lights control (Germany) and traffic control systems (UK)
  • Situation in Germany, currently ~ 30.000.000 cordless DECT based phone base stations in use, I do not have UK and US specific stats but there should be also a fairly high number of deployments similar  as worldwide to be expected.

Overview:

This post describes only basics of the “deDECTed” hack [3] and more details can be found in the Appendix.

DECT implementations do vary on the vendor and DECT “secret key” (UAK) has been made available to vendors which are implementing DECT under a Nondisclosure Agreement. However it appears that encryption in DECT based phones is often not implemented/enabled and even the latest generation of DECT phones which are supposed to use encryption can be intercepted by forwarding traffic to a Voice over Internet Protocol (VOIP) system (e.g. Asterisk Pbx ) which is not supporting the encryption and so DECT is falling back to an insecure communication.

If encryption is not implemented someone only needs a PC,  software and a DECT Controller  to penetrate  the own DECT phone.

The German hacker group initially used a hardware device utilizing Gnu Radio to sniff to the DECT traffic on 1.88 – 1.9 GHz (in comparison Wifi 802.11 b/g is on the 2.4 GHz band and Wifi 802.11a on 5 GHz) but then decided later on to make their “life easier” and wrote a Linux kernel driver and obviously some user space utilities for the “Com-on-Air” PCMCIA based Dect Controller by “Dosch/Ammand” (D/A).

When I looked into getting the card the current prices on Ebay for the Type II cards (ironically D/A is bankrupt since years) have been appx. 10 x more than the card was before the DECT weaknesses report made it to the public and the card main purpose at that time was using it as an IP-DECT solution where the backhaul from the base station is VoIP (H323 or SIP) while the handset loop is still DECT or in other words people just used the Com-On-Air card to extend their VOIP networks through the DECT Controller forwarding calls to their convenient (DECT based) cordless phones.

++

Com-On-Air Linux Kernel driver:

To get the PCMCIA Type II card working the students wrote their own driver for the card. The code compilation is straight forward, just make sure you got the latest kernel sources and headers in place.  The DECT analysis tools are also in the code framework included and they compile as easy as the driver does. After a successful module load (insmod, modprobe etc.) you will see (lsmod) “com_on_air_cs” kernel module loaded and it will dealing with the DECT controller card under Linux.

[  339.588207] >>> loading com_on_air_cs
[  339.588875] com_on_air_cs: >>>>>>>>>>>>>>>>>>>>>>>>
[  339.588879] com_on_air_cs: card in slot        com_on_air_cs
[  339.588882] com_on_air_cs: prod_id[0]          DECTDataDevice
[  339.588885] com_on_air_cs: prod_id[1]          PCMCIA F22
[  339.590638] com_on_air_cs: ioremap()’d baseaddr 9ab34000
[  339.590664] com_on_air_cs: registered IRQ 3
[  339.630471] com_on_air_cs: valid client.
[  339.630474] com_on_air_cs: type          0×118
[  339.630476] com_on_air_cs: function      0×0
[  339.630478] com_on_air_cs: Attributes    1
[  339.630480] com_on_air_cs: IntType       2
[  339.630483] com_on_air_cs: ConfigBase    0×1020
[  339.630485] com_on_air_cs: Status 0, Pin 0, Copy 0, ExtStatus 0
[  339.630488] com_on_air_cs: Present       1
[  339.630490] com_on_air_cs: AssignedIRQ   0×3
[  339.630492] com_on_air_cs: IRQAttributes 0×12
[  339.630494] com_on_air_cs: BasePort1     0×0
[  339.630496] com_on_air_cs: NumPorts1     0×10
[  339.630498] com_on_air_cs: Attributes1   0×10
[  339.630500] com_on_air_cs: BasePort2     0×0
[  339.630502] com_on_air_cs: NumPorts2     0×0
[  339.630504] com_on_air_cs: Attributes2   0×0
[  339.630506] com_on_air_cs: IOAddrLines   0×0
[  339.630508] com_on_air_cs: has function_config
[  339.630512] com_on_air_cs: get_card_id() = 0
[  339.630514] com_on_air_cs: ———————–

DECT Kismet integration with Kismet plugin in kismet-newcore:

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. The authors of Kismet made it possible to extend the portfolio of the application to understand DECT detection which is quite neat for someone who is frequently using Kismet anyway. Please note that you need to compile Kismet from scratch if you want to use the plugin support as it is only available in the latest kismet-newcore through subversion (svn).

Some DECT specific acronyms:

RFPI = Radio fixed part identity, phone base station id (note that a Ethernet MAC address is 6 and not 5 bytes)
RSSI = Received Signal Strength Indication
FP = Fixed part (e.g. telephone base station)
PP = Portable part (e.g. phone handset itself)
B-FIELD = Actual payload, e.g  voice codec
C-CHANNEL = Contains all  DECT higher layer control
CH = Channel

Kismet Dect plugin:

The help menu of the Kismet (Newcore) DECT plugin shows the basic scan options for phones, basestations and the plugin ability to sort the findings in the order of the users choice. The DECT integration also allows to change channel hop settings and sync on a call and dump it to a local system for example.

Dect Scan Example:

Dect Analysis tool:

The most featurecomplete tool is dect_cli. it can dump pcap formatted captures and is shown in

action below.

There are also other tools available:

coa_syncsniff dumps pcap files on a given channel and RFPI

pcap2cchan dumps C-channel informa

tion from pcap files:

./pcap2cchan dump_2009-02-13_23_46_42_RFPI_00_7e_94_dd_a8.pcap

station: addr:8e ctrl:4c len:c0 crc:9ab2 -> reserved     cc 05 dc 82 64 de 9b 7a ca b8 01 6a 9e c2 11 04 74 d7 fb d4 f9 f6 f0 54 39 73 fc 8c f7 11 10 19 d5 1b 9b 8a ac 12 9d d5 76 55 2e a2 f5 79 aa 4d

pcapstein dumps all B-Fields found in a pcap file

Dect command line interface menu:

DECT command line interface
type “help” if you’re lost
help

help – this help
fpscan – async scan for basestations, dump RFPIs
callscan – async scan for active calls, dump RFPIs
autorec – sync on any calls in callscan, autodump in pcap
ppscan <rfpi> – sync scan for active calls
chan <ch> – set current channel [0-9], currently 0
band – toggle between EMEA/DECT and US/DECT6.0 bands
ignore <rfpi> – toggle ignoring of an RFPI in autorec
dump – dump stations and calls we have seen
name <rfpi> <name> - name stations we have seen
hop - toggle channel hopping, currently ON
verb - toggle verbosity, currently OFF
stop – stop it – whatever we were doing
quit – well

Example of Base station- and call dump with DECT command line interface:

dump
### stations
00 7e 94 dd a8  ch 7  RSSI 18.53  count   76  first 1234794847  last 1234795069
### calls
00 7e 94 dd a8  ch 7  RSSI 19.20  count    5  first 1234795128  last 1234795129

Example of a call dump processing:

Scan for active calls and sync against DECT phone using “callscan” mode:

### calls
00 7e 94 dd a8  ch 7  RSSI 19.20  count    5  first 1234795128  last 1234795129

Enabling automatic record of calls found using “autorec”:

### got sync
### dumping to dump_2009-02-13_23_46_42_RFPI_00_7e_94_dd_a8.pcap
### stopping DIP

Postprocessing:

This is the resulting information by extracting from the .pcap capture the raw G.726/G.721 (.ima codecs – ADPCM 4bit per sample) 32 kbps dumps and finally decode them using Sound eXchange into Waveform audio format (.wav).

dump_2009-02-13_23_46_42_RFPI_00_7e_94_dd_a8.pcap

—>

dump_2009-02-13_23_46_42_RFPI_00_7e_94_dd_a8.pcap_fp.ima
dump_2009-02-13_23_46_42_RFPI_00_7e_94_dd_a8.pcap_pp.im

——>

bernds_siemens_gigaset1.wav

(.wav file(s) can be listened to in using the favourite audio player)

DECT support in Wireshark:

No support for dissecting DECT was present in the main Wireshark repository however captured DECT data can be analysed further in loading the relevant .pcap files into Wireshark Development unstable version compiled from scratch or by applying the wireshark-1.0.5_dect.patch to wireshark version 1.0.5.

This is a list of software packages you need to have installed prior wireshark compilation to get a succesful build under Linux Ubuntu 8.04 LTS/ 8.10:

  • bison – A parser generator which is compatible with YACC
  • flex – A fast lexical analyzer generator
  • gtk2-engines – theme engines for GTK+ 2.x 9!)
  • libgtk2.0-dev – Development files for the GTK+ library
  • libpcre3-dev – Perl5 compatible regular expression
  • libkrb5-dev – Header and Development Files for MIT Kerberos
  • library – development files
  • libc-ares-dev – library for asyncronous name resolves
  • libsmi2 – A library to access MIB information
  • libsmi2-dev – A library to access MIB information (development files)
  • libgcrypt – LGPL Crypto library – development files
  • libcap-bin – basic utility programs for using capabilities
  • libcap-dev – development libraries and header files for libcap
  • libgeoip-dev – Development files for the GeoIP library
  • libgnutls-dev – the GNU TLS library – development files
  • libssl0.9.8-dbg – Symbol tables for libssl and libcrypto

External antenna connector hardware:

Some people claim operating DECT within the European 1.88 – 1.9  GHz range (similar frequency window as used by Global System for Mobile communications (GSM) in the 1900 MHz band) does allow to receive a reasonable signal from up to 300 meters ( appx. 980 feet) distance.  More EIRP will significantly improve the signalling and hence less noise.

The photo illustration below is for a Wifi card extension but the DECT controller should have a similar circuit board layout so the SMA connector soldering can be easily adapted with use of  a standard GSM 1900 antenna or best a custom made DECT frequency antenna.

Conclusion:

  • “Conversations relayed through cordless household phones are far easier to snoop upon than previously suspected.”
  • DECT based phones are a bad choice for using in business.
  • VOIP Security can be eliminated by implementing VOIP->DECT gateways
  • DECT is cracked [7] .

Appendix:

[1] https://dedected.org/trac/blog/dsc-cryptanalysis-final and Cryptanalysis of the DECT Standard Cipher – Full Paper – final version – PDF

[2] 25C3 presentation: (talk-25c3.pdf)

[3] DECT Talk at 25C3 (Video in 720×576 mp4 )

[4] deDECTed.org website

[5] Introduction to DECT standardisation

[6] Attacks on the DECT authentication mechanisms (pdf)

[7] DECT encryption cracked

[8] Cryptanalysis of the DECT, Bruce Schneier

[9] 26C3: DECT (part II), ChrisJohnRiley

About these ads
Comments
  1. [...] done. If you’ve got a good understanding of what mapping SSIDs entails, existing software like libpcap, Wireshark, Kismet and the like, maybe you can see how easy it might have been with their developers racing to cook up [...]

  2. Mark N. says:

    Most of this is way over my head, but I’m wondering (since some long distance charges have shown up on my phone bill recently that nobody in our house has made becasue we don’t know anyone in Mississippi) if someone can hijack a Dect phone so long as they’re within the signal range (I’ve walked outside with my phone to see how far the signal reaches, and I’m still within range for a distance of about 2 houses or so down the street) and make outgoing calls on my equipment?

    Thanks.

  3. Just got mine in the mail and added an antenna to it.. Pretty sweet shit

    • Meho Puzic says:

      Did you get the Type II or Type III card? I can not find any Type II cards on eBay. Is there any other places to buy them on?

      • Bernd says:

        Hi Meho,

        The card I used was a type II one. Very hard to get hold off at the time I looked into it:

        “When I looked into getting the card the current prices on Ebay for the Type II cards (ironically D/A is bankrupt since years) have been appx. 10 x more than the card was before the DECT weaknesses report made it to the public and the card main purpose at that time was using it as an IP-DECT solution where the backhaul from the base station is VoIP (H323 or SIP) while the handset loop is still DECT or in other words people just used the Com-On-Air card to extend their VOIP networks through the DECT Controller forwarding calls to their convenient (DECT based) cordless phones.”

        http://marienfeldt.files.wordpress.com/2010/04/card_top.jpg?w=630

  4. Reblogged this on Thou Shall Not Parse and commented:
    I found my old-school DECT BT Home Phone 1010 earlier on and have spent the evening looking up hacks for it and DECT in general. This look very interesting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s