Havoc

DECT eavesdropping possible

14 posts in this topic

I'm amazed

http://events.ccc.de/congress/2008/Fahrpla...ts/2937.en.html

https://dedected.org/cgi-bin/trac.cgi/attac....pdf?format=raw

http://www.heise-online.co.uk/security/25C...y--/news/112326

According to the researchers, all that's required is a souped-up 23-euro VoIP laptop card and a Linux computer. This setup has no difficulty in intercepting DECT conversations if, as is frequently the case, encryption is not activated. Even where data transfer is initially encrypted, the card is able to deactivate the encryption by pretending to be a base station...the goal of creating a sniffer that could be used from a car parked in front of a house, was achieved...PCMCIA card was, using a special Linux driver, able to eavesdrop on conversations, extract and write data to a storage medium and forward this data to an audio player. In such poorly secured DECT networks, it was possible to record every telephone conversation which took place.

some of you may recall that I have a bunch of these pcmcia card : something like 5 type III and 2 type II and all other ISDN/DECT equipment including DECT wireless lan hardware

I do hope to see my cards in action as DECT is very common and popular here in Europe

0

Share this post


Link to post
Share on other sites

Wow, that almost seems too easy. Tell us how your adventures go, I'm curious to see actual results.

0

Share this post


Link to post
Share on other sites

A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

0

Share this post


Link to post
Share on other sites

If you haven't already, try setting the codec to g.726. I've heard it's pretty popular with a lot of DECT phones, especially Panasonic ones.

EDIT: Okay, well, I'm a noob. G.726 is standard for DECT.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites
A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

0

Share this post


Link to post
Share on other sites
A friend of mine was playing with this yesterday. Yes it is very easy, also not out yet, is the code to run a false base station, so if you tunnel it out over an Asterisk box, the person will never know. Anyway back to topic, the Codec chosen isn't exactly the one they need, it produces an extremly "tinny" output and so words are competley indeterminable. Anyone got any suggestions? (we've tried slowing the speech down and changing the pitch rate, it makes very little difference).

RP

I believe DECT uses the G726 codec. There are different encoding schemes or just implementations of G726... I saw what you describe in some VoIP deployments.

Does anyone know if these PCMCIA cards support DECT 6.0, which is the North American variant on a slightly different frequency?

It is in fact off by 10hz.

0

Share this post


Link to post
Share on other sites
It is in fact off by 10hz.

Erm, were you thinking of another specification?

From Wikipedia:

Some DECT properties:

  • Audio codec: G.726
  • Net bit rate: 32 kbit/s
  • Frequency: 1880 MHz–1900 MHz in Europe, 1920 MHz–1930 MHz in the US
  • Carriers: 10 (1,728 kHz spacing) in Europe, 5 (1,728 kHz spacing) in the US
  • Time slots: 2 x 12 (up and down stream)
  • Channel allocation: dynamic
  • Average transmission power: 10 mW (250 mW peak) in Europe, 4 mW (100 mW peak) in the US

Also, if someone figures out a way to crack the base code (and they will, there's always someone out there who wants a free call or to wreak havoc or something), can you think of the potential this would have? It'd be great for phonetripping in areas where payphones have been decimated. Seriously, if DECT 6.0 is supported, it'd be like wifi in 2005; plenty of APs, none of them secure, like, ever.

0

Share this post


Link to post
Share on other sites

Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?

0

Share this post


Link to post
Share on other sites
Just grab one of THESE, then the phone your trying to eavesdrop on will walk out of a door looking for reception. Easy enough?

oh I've got to get one of those!

EDIT:

for $30 bucks.. I went ahead and ordered one. Will let you know how it works..

Edited by PurpleJesus
0

Share this post


Link to post
Share on other sites

PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs :X

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.

0

Share this post


Link to post
Share on other sites
PurpleJesus, I hope you didn't use express shipping, as that's the one that goes through customs :X

As far as how well they work, you need to tune them because they ship tuned to overseas frequencies. Get a small jewelers screw driver and take off the metal case (make sure to pull the button out first, I broke my first one that way).

The range, when tuned, is about 30 feet give or take indoors. Outdoors the range isn't nearly as good. But still a neat toy. Also, the build quality on them is complete shit, poor soldering and gobs of hot glue.

I hear the BIG one, for $75 or whatever, is a much better unit. It's just large as hell, more ideal for car mounting.

As a matter of fact, I chose the slow boat from China shipping.. Arrived last Friday. It will knock out my Nextel like no tomorrow, but so will a tree. It's pathetic on every other phone I've tried.- (Verizons, and Singulars) How would one go about picking the right parts to twist and tune inside it? Do you have some pics and text to explain it for a noob like me?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now