Jump to content


Photo
- - - - -

DECT eavesdropping possible


  • Please log in to reply
13 replies to this topic

#1 Havoc

Havoc

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 923 posts
  • Country:
  • Gender:Male
  • Location:Poland

Posted 05 January 2009 - 01:39 PM

I'm amazed

http://events.ccc.de...ts/2937.en.html

https://dedected.org....pdf?format=raw

http://www.heise-onl...y--/news/112326

According to the researchers, all that's required is a souped-up 23-euro VoIP laptop card and a Linux computer. This setup has no difficulty in intercepting DECT conversations if, as is frequently the case, encryption is not activated. Even where data transfer is initially encrypted, the card is able to deactivate the encryption by pretending to be a base station...the goal of creating a sniffer that could be used from a car parked in front of a house, was achieved...PCMCIA card was, using a special Linux driver, able to eavesdrop on conversations, extract and write data to a storage medium and forward this data to an audio player. In such poorly secured DECT networks, it was possible to record every telephone conversation which took place.


some of you may recall that I have a bunch of these pcmcia card : something like 5 type III and 2 type II and all other ISDN/DECT equipment including DECT wireless lan hardware

I do hope to see my cards in action as DECT is very common and popular here in Europe

#2 trunk

trunk

    Will I break 10 posts?

  • Members
  • 6 posts
  • Location:Vermont

Posted 05 January 2009 - 04:24 PM

Nice link

#3 PhreakerD7

PhreakerD7

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 375 posts
  • Location:Using your phone line

Posted 05 January 2009 - 04:41 PM

Wow, that almost seems too easy. Tell us how your adventures go, I'm curious to see actual results.

#4 radio_phreak

radio_phreak

    SUP3R 31337

  • Members
  • 153 posts
  • Country:
  • Gender:Male
  • Location:In my Telecommando lair

Posted 06 January 2009 - 01:00 AM

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

#5 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,218 posts
  • Gender:Male

Posted 08 January 2009 - 01:18 AM

If you haven't already, try setting the codec to g.726. I've heard it's pretty popular with a lot of DECT phones, especially Panasonic ones.

EDIT: Okay, well, I'm a noob. G.726 is standard for DECT.

Edited by ThoughtPhreaker, 08 January 2009 - 11:28 AM.


#6 Andre van dem Helge

Andre van dem Helge

    mad 1337

  • Members
  • 135 posts

Posted 13 January 2009 - 02:49 AM

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP



I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

#7 IndexPhinger

IndexPhinger

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 481 posts
  • Country:
  • Gender:Male
  • Location:192.168.0.254

Posted 18 January 2009 - 02:22 PM

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP



I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

It is in fact off by 10hz.

#8 ThoughtPhreaker

ThoughtPhreaker

    BinRev veteran

  • Members
  • 1,218 posts
  • Gender:Male

Posted 20 January 2009 - 04:04 AM

It is in fact off by 10hz.


Erm, were you thinking of another specification?

From Wikipedia:

Some DECT properties:

  • Audio codec: G.726
  • Net bit rate: 32 kbit/s
  • Frequency: 1880 MHz–1900 MHz in Europe, 1920 MHz–1930 MHz in the US
  • Carriers: 10 (1,728 kHz spacing) in Europe, 5 (1,728 kHz spacing) in the US
  • Time slots: 2 x 12 (up and down stream)
  • Channel allocation: dynamic
  • Average transmission power: 10 mW (250 mW peak) in Europe, 4 mW (100 mW peak) in the US

Also, if someone figures out a way to crack the base code (and they will, there's always someone out there who wants a free call or to wreak havoc or something), can you think of the potential this would have? It'd be great for phonetripping in areas where payphones have been decimated. Seriously, if DECT 6.0 is supported, it'd be like wifi in 2005; plenty of APs, none of them secure, like, ever.

#9 Havoc

Havoc

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 923 posts
  • Country:
  • Gender:Male
  • Location:Poland

Posted 20 January 2009 - 12:59 PM

it's very easy to use google and not only wikipedia, an example

http://wireless.per....lephon/dect.htm

#10 R4p1d

R4p1d

    Hakker addict

  • Members
  • 840 posts
  • Country:
  • Gender:Not Telling
  • Location:Space

Posted 21 January 2009 - 04:13 AM

Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?

#11 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 21 January 2009 - 10:28 AM

Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?


oh I've got to get one of those!

EDIT:
for $30 bucks.. I went ahead and ordered one. Will let you know how it works..

Edited by PurpleJesus, 21 January 2009 - 10:59 AM.


#12 Andre van dem Helge

Andre van dem Helge

    mad 1337

  • Members
  • 135 posts

Posted 01 February 2009 - 07:01 PM

Talking about DECT I just found out recently there's a DECT cordless phone that can be installed in my car. How cool is that?

http://www.bimmerboa...ms/posts/410125

#13 savant

savant

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 368 posts
  • Gender:Male
  • Location:408

Posted 16 February 2009 - 07:19 PM

PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs :X

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.

#14 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 16 February 2009 - 10:06 PM

PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs :X

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.


As a matter of fact, I chose the slow boat from China shipping.. Arrived last Friday. It will knock out my Nextel like no tomorrow, but so will a tree. It's pathetic on every other phone I've tried.- (Verizons, and Singulars) How would one go about picking the right parts to twist and tune inside it? Do you have some pics and text to explain it for a noob like me?




BinRev is hosted by the great people at Lunarpages!