DECT [Digital Enhanced Cordless Telecommunication] nfo

[DNR]

DECT [Digital Enhanced Cordless Telecommunication]

The DECT protocol, a European Telecommunications Standards Institute (ETSI) standard, is the world's most popular wireless telephony protocol. The standard is also used in baby monitors, emergency call and door opening systems, wireless debit card readers and even traffic management systems. In Germany alone, where 25C3 [ Chaos Communication Congress ] is held, there are an estimated 30 million active DECT devices. DECT uses standard cryptographic procedures for authenticating the base station and terminals and for encrypting data transfers.
The original DECT frequency band (1880 MHz–1900 MHz) is used in all countries in Europe. Outside Europe, it is used in most of Asia, Australia and South America. In the United States, the Federal Communications Commission in 2005 changed channelization and licensing costs in a nearby band (1920 MHz–1930 MHz, or 1.9 GHz), known as Unlicensed Personal Communications Services (UPCS), allowing DECT devices to be sold in the U.S. with only minimal changes.

A modified $30 VoIP laptop card running on a Linux portable was used to demonstrate an attack, which relies on using specially outfitted equipment to impersonate legitimate wireless base stations. Having previously carried out an attack using an expensive DECT sniffer the security researchers - Erik Tews from the Technical University of Darmstadt, Ralf-Philipp Weinmann, and Matthias Wenzel - modified a ComOnAir PCMCIA card with a few additional circuit and software modifications so that once the kit was plugged into a laptop it was able to function as a sniffer. The equipment was easily small enough to be operated from a car parked outside a targeted location.

The security researchers were able to extract an audio stream which could be played back or recorded.

In all these cases, the PCMCIA card was, using a special Linux driver, able to eavesdrop on conversations, extract and write data to a storage medium and forward this data to an audio player. In such poorly secured DECT networks, it was possible to record every telephone conversation which took place.
Encryption is a part of the DECT standard, but even when it's enabled, it might easily be bypassed in order to allow rogue devices to pose as the real thing, heise Security reports.

The algorithm used by DECT is hardwired into devices and not publicly disclosed. However, the boffins found that DECT-based communications between a transmitting station and the hand-held device often featured no form of encryption or authentication. And even when cryptographic defences are put into play they might be defeated by diverting data to an Asterisk (Linux-based software PBX), where crypto isn't supported so that conversations default to plain text, cryptographic researchers discovered.

The researchers also found some initial points of attack in the encryption system. According to Tews, they succeeded in reverse engineering the central DECT Standard Authentication Algorithm (DSAA) and its four sub-implementations. A report on the research can be found on the dedacted.org project site, with implementations and C and Java source code to follow.

The next version of the Kismet WLAN sniffer will support DECT. Wireless LANs and DECT devices operate over separate frequencies, so additional hardware will still be needed to sniff on conversations. i.e. 'ComOnAir PCMCIA card with a few additional circuit and software modifications'

-----------------

DECT wireless eavesdropping made easy
http://www.theregister.co.uk/2008/12/31/dect_hack/

http://en.wikipedia.org/wiki/DECT

25C3: Serious security vulnerabilities in DECT wireless telephony
http://www.heise-online.co.uk/security/ ... ews/112326

Hacker's view of DECT, 12/29/08 by Andreas Schuler Erik Tews Ralf-Philipp Weinmann - DeDECTed.org
https://dedected.org/cgi-bin/trac.cgi/a ... format=raw
4.17mb pdf file - a MUST HAVE!

DNR