very low frequency tech postings - dect/25c3_aftermath.writeback
Tue, 06 Jan 2009back from berlin
For the first time in almost a decade I contributed more than "being there and having fun" to the annual CCC conference in Berlin. We held a talk on DECT, the out-of-the-box-it-works standard for cordless home phones, being widely spread in Europe an Asia.
We could show that pretty much of the phones out there are completely unencrypted, and can be intercepted by a 20Euro Laptop card, and a linux driver and toolset that krater and I hacked up within the last months. On top of this the cryptographers of our team could show up various weaknesses in the remaining encrypted setups:
All-in-all we hopfully communicated that you'd better not use your cordless phone for any purpose. If you try to resist feel yourself manipulated by what you read here, and better know: they're all listening!
Now one of our main intents and expectations from what we did is that we all can buy really secure cordless phones within a year from today in our favorite supermarket.
the (probably incomplete) catalogue of demands to the DECT industry includes:
DECT is just another proof that security by obscurity does not work. So much of CCC's work ends up just in this one mantra "security by obscurity does not work". So now everybody stand up and say it loud "security by obscurity does not work".
back to the fun part of Berlin's visit:
a dect-sniffer in Berlin, still hiding behind the balustrade
a dect-sniffer in front of the chinese embassy, I do admit they have the better antennas (top right)
a dect-sniffer not so much hiding in Berlin on Jannowitzbruecke, heading for 25c3
This time I went to Berlin by ICE, the fast german trains. And those trains run some kind of DECT installations, I saw three basestations in both of the ICEs going to Berlin and back, and they had sequential RFPI numbers.
The board personel seems to use the installation for communication using normal handsets, the recordings show B-fields in normal fullslots, and no encryption. But then exactly at the moment an announcement over the ICE speakers started, my tools began recording a new pcap file with double-slots.
So seemingly the ICE board speakers can be controlled using DECT, and the audio is some kind of high quality wideband audio codec which is being transported in DECT doubleslots, i.e. using twice the bandwidth of normal DECT calls.
As of now our tools only support one type of audio codec, the widespread G.721/G.726 ADPCM codec. So if you're into codecs or the DECT story, get the file
and try your best to get some audible fragments out of it. This will only work like 50%, as our driver firmware currently cuts off reception after the length of a fullslot. So if you want to contribute, try to get that running, this would be a high motivation for us to really support doubleslots in the firmware, too.
To read the DECT standard in all of its glory go to ETSI.org, register by email, and download all EN 300 175-[1-8] standards.
Update: Not all ICEs have such high quality wideband audio DECT doubleslot installations. Some announcements come in crappy telephone quality: