very low frequency tech postings - 01 2009
jul 2009 (1)
jun 2009 (1)
jan 2009 (2)
dec 2008 (1)
oct 2008 (1)
jan 2008 (1)
oct 2007 (1)
jun 2007 (1)
feb 2007 (3)
jan 2007 (3)
nov 2006 (2)
aug 2006 (2)
jul 2006 (1)
may 2006 (1)
nov 2005 (2)
oct 2005 (1)
apr 2005 (2)
mar 2005 (2)
feb 2005 (1)
jan 2005 (1)
may 2004 (1)
jan 2004 (1)
apr 2003 (1)
jan 2003 (1)
Sun, 18 Jan 2009
the "hidden" gigaset menu and how to use it as a poor man's attacking tool
The attack is possible due to two big fuckups:
Please, get that fixed!
In this scenario the attacker still has a lot of margin. As mentioned above, directional antennas can help, but the second idea is to jam the original basestation just by radio interference. So our idea in the early stages of the project was to first implement a DECT radio jammer with the com-on-air card. But at that timeframe the com-on-air card was still a big miracle to us, and really being able to use it only started at december 4th 2008. While the com-on-air jammer is technically possible we have never gotten down to implementing it, maybe one bored day we will...
Now back to the title and jamming with gigasets:
During the 25c3 BeF from the POC showed me a litte trick you can do whith almost all Siemens gigasets (or magenta clones):
this is fun so far, but doesn't jam yet. Now for jamming re-enter the service menu (keep 1 4 7 pressed while powering on, enter 76200), and select SAR from the menu. SAR means "specific absorption rate" and is a measure of the radio emission a device creates. When selecting SAR you will end up in another menu "1 slot"/"1slot low"/"2 slot" or the like... select the "biggest" one. The menu items probably heavily depends on what your phone supports of halfslot/fullslot/longslot/doubleslot/ecomode. Finally you're confronted with another selection fLOW/fCENTER/fHIGH. Select fLOW for jamming channel 0, fCENTER for jamming channel 5, and fHIGH for jamming channel 9.
here's my measurement setup using a spectrum analyzer with a crappy GSM antenna and a recent gigaset
The gigaset guys seem to have gotten the channel/frequency mapping wrong, their fLOW is the highest DECT frequency, their fHIGH is the lowest DECT frequency; DECT channels go from 0-9 starting at the highest frequency, and channel 9 being the lowest frequency. Here's what I measure with the gigaset jammer:
Now if our attacker is lucky she find's the victim's FP in channel 0, 5 or 9. She can also wait until it jumps there. She adds a directional antenna to her crappy old gigaset, pointing to the victim's PP, and is much more efficient with the above attack.
posted in /dect | link | comments 
Tue, 06 Jan 2009
back from berlin
All-in-all we hopfully communicated that you'd better not use your cordless phone for any purpose. If you try to resist feel yourself manipulated by what you read here, and better know: they're all listening!
Now one of our main intents and expectations from what we did is that we all can buy really secure cordless phones within a year from today in our favorite supermarket.
the (probably incomplete) catalogue of demands to the DECT industry includes:
DECT is just another proof that security by obscurity does not work. So much of CCC's work ends up just in this one mantra "security by obscurity does not work". So now everybody stand up and say it loud "security by obscurity does not work".
back to the fun part of Berlin's visit:
a dect-sniffer in Berlin, still hiding behind the balustrade
a dect-sniffer in front of the chinese embassy, I do admit they have the better antennas (top right)
a dect-sniffer not so much hiding in Berlin on Jannowitzbruecke, heading for 25c3
This time I went to Berlin by ICE, the fast german trains. And those trains run some kind of DECT installations, I saw three basestations in both of the ICEs going to Berlin and back, and they had sequential RFPI numbers.
The board personel seems to use the installation for communication using normal handsets, the recordings show B-fields in normal fullslots, and no encryption. But then exactly at the moment an announcement over the ICE speakers started, my tools began recording a new pcap file with double-slots.
So seemingly the ICE board speakers can be controlled using DECT, and the audio is some kind of high quality wideband audio codec which is being transported in DECT doubleslots, i.e. using twice the bandwidth of normal DECT calls.
As of now our tools only support one type of audio codec, the widespread G.721/G.726 ADPCM codec. So if you're into codecs or the DECT story, get the file
and try your best to get some audible fragments out of it. This will only work like 50%, as our driver firmware currently cuts off reception after the length of a fullslot. So if you want to contribute, try to get that running, this would be a high motivation for us to really support doubleslots in the firmware, too.
To read the DECT standard in all of its glory go to ETSI.org, register by email, and download all EN 300 175-[1-8] standards.
Update: Not all ICEs have such high quality wideband audio DECT doubleslot installations. Some announcements come in crappy telephone quality:
posted in /dect | link | comments