13 replies to this topic

[Havoc]

I'm amazed

http://events.ccc.de...ts/2937.en.html

https://dedected.org....pdf?format=raw

http://www.heise-onl...y--/news/112326

According to the researchers, all that's required is a souped-up 23-euro VoIP laptop card and a Linux computer. This setup has no difficulty in intercepting DECT conversations if, as is frequently the case, encryption is not activated. Even where data transfer is initially encrypted, the card is able to deactivate the encryption by pretending to be a base station...the goal of creating a sniffer that could be used from a car parked in front of a house, was achieved...PCMCIA card was, using a special Linux driver, able to eavesdrop on conversations, extract and write data to a storage medium and forward this data to an audio player. In such poorly secured DECT networks, it was possible to record every telephone conversation which took place.

some of you may recall that I have a bunch of these pcmcia card : something like 5 type III and 2 type II and all other ISDN/DECT equipment including DECT wireless lan hardware

I do hope to see my cards in action as DECT is very common and popular here in Europe

[trunk]

Nice link

[PhreakerD7]

Wow, that almost seems too easy. Tell us how your adventures go, I'm curious to see actual results.

[radio_phreak]

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

[ThoughtPhreaker]

If you haven't already, try setting the codec to g.726. I've heard it's pretty popular with a lot of DECT phones, especially Panasonic ones.

EDIT: Okay, well, I'm a noob. G.726 is standard for DECT.

Edited by ThoughtPhreaker, 08 January 2009 - 11:28 AM.

[Andre van dem Helge]

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

[IndexPhinger]

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

It is in fact off by 10hz.

[ThoughtPhreaker]

It is in fact off by 10hz.

Erm, were you thinking of another specification?

From Wikipedia:

Some DECT properties:

• Audio codec: G.726
• Net bit rate: 32 kbit/s
• Frequency: 1880 MHz–1900 MHz in Europe, 1920 MHz–1930 MHz in the US
• Carriers: 10 (1,728 kHz spacing) in Europe, 5 (1,728 kHz spacing) in the US
• Time slots: 2 x 12 (up and down stream)
• Channel allocation: dynamic
• Average transmission power: 10 mW (250 mW peak) in Europe, 4 mW (100 mW peak) in the US

Also, if someone figures out a way to crack the base code (and they will, there's always someone out there who wants a free call or to wreak havoc or something), can you think of the potential this would have? It'd be great for phonetripping in areas where payphones have been decimated. Seriously, if DECT 6.0 is supported, it'd be like wifi in 2005; plenty of APs, none of them secure, like, ever.

[Havoc]

it's very easy to use google and not only wikipedia, an example

http://wireless.per....lephon/dect.htm

[R4p1d]

Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?

[PurpleJesus]

Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?

oh I've got to get one of those!

EDIT:
for $30 bucks.. I went ahead and ordered one. Will let you know how it works..

Edited by PurpleJesus, 21 January 2009 - 10:59 AM.

[Andre van dem Helge]

Talking about DECT I just found out recently there's a DECT cordless phone that can be installed in my car. How cool is that?

http://www.bimmerboa...ms/posts/410125

[savant]

PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.

[PurpleJesus]

PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.

As a matter of fact, I chose the slow boat from China shipping.. Arrived last Friday. It will knock out my Nextel like no tomorrow, but so will a tree. It's pathetic on every other phone I've tried.- (Verizons, and Singulars) How would one go about picking the right parts to twist and tune inside it? Do you have some pics and text to explain it for a noob like me?