maZZoo maZZoo's blog
very low frequency tech postings  -  dect/gigasets.writeback
    home
    blog
    feed
    eyes
    info

    code [12]
    dect [4]
    hard [8]
    meta [5]
    security [5]

Sun, 18 Jan 2009

the "hidden" gigaset menu and how to use it as a poor man's attacking tool

before I get into the above title, lets step back, and let me drop a few word about our very first practical attack against DECT.

impersonating a FP (basestation)

In the DECT standard a mutual authentication between PP (portable part, the "phone") and FP (fixed part, the basestation) is forseen, but it is optional. In all cases we have examined only the PP is authenticated by the FP, but not vice-versa. That means a FP can be sure what PP it is talking to, but a PP is left blind as to whether the basestation is really the one it once was shipped with.
  1. think of a victim's PP which ran out of batteries, is switched off or out of radio range
  2. the victim's FP will still broadcast its identity, the RFPI (radio fixed part identifier)
  3. the attacker takes another FP of her choice and modifies it to broadcast the victim's RFPI
  4. the attacker modifies her FP to accept any PP without authentication
  5. the victim's PP comes back (batteries loaded, switched on or comes into radio range)
  6. the victim's PP will try to find its known FP by RFPI and chooses probably either the first seen, or strongest radio signal
  7. in case the victim's PP decides to use the attacker's FP, the victim lost. All outgoing calls will be sent over the attacker's FP
  8. in case the victim's PP hears both FPs equally loud, the attacker's chance to succeed is 50% (and directional antennas help)
The attack has been proven to be practical in spring 2008. Any further details or implemetaions weren't and won't be released by the dedected.org team.

The attack is possible due to two big fuckups:
  1. the DECT standard enforces that a PP will aways accept unauthenticated/unencrypted FPs/calls. Even if a PP usually does all possible authentications and ecryptions, it will fall to the attacker, as she accepts the victim's PP without all those bells and whistles
  2. the DECT manufacturers seemingly never implemented mutual authentication, atleast for what we have examind

Please, get that fixed!

In this scenario the attacker still has a lot of margin. As mentioned above, directional antennas can help, but the second idea is to jam the original basestation just by radio interference. So our idea in the early stages of the project was to first implement a DECT radio jammer with the com-on-air card. But at that timeframe the com-on-air card was still a big miracle to us, and really being able to use it only started at december 4th 2008. While the com-on-air jammer is technically possible we have never gotten down to implementing it, maybe one bored day we will...

Now back to the title and jamming with gigasets:
During the 25c3 BeF from the POC showed me a litte trick you can do whith almost all Siemens gigasets (or magenta clones):


switch off your gigaset.
press 1 4 7 simultaneously and keep them pressed while powering on again

[service]
(no picture)
now by pressing random numbers you will get some nice screen or display tests, which heavily depend on the model you have.
now restart, switch the gigaset off and on again, keeping 1 4 7 pressed, and once the [service] screen shows up, enter 76200. This will lead you to the service menu.
here you can do various stuff, reading the IPUI, SW-version. Interesting is the "Metering mode".
on the right you see
090-1-01-16H-100

090 : RSSI value of the FP
1 : channel number (0-9)
01 : timeslot number (0-11)
16H : least significant byte of the RFPI
100 : 100-bit error rate in %

this is fun so far, but doesn't jam yet. Now for jamming re-enter the service menu (keep 1 4 7 pressed while powering on, enter 76200), and select SAR from the menu. SAR means "specific absorption rate" and is a measure of the radio emission a device creates. When selecting SAR you will end up in another menu "1 slot"/"1slot low"/"2 slot" or the like... select the "biggest" one. The menu items probably heavily depends on what your phone supports of halfslot/fullslot/longslot/doubleslot/ecomode. Finally you're confronted with another selection fLOW/fCENTER/fHIGH. Select fLOW for jamming channel 0, fCENTER for jamming channel 5, and fHIGH for jamming channel 9.

here's my measurement setup using a spectrum analyzer with a crappy GSM antenna and a recent gigaset



The gigaset guys seem to have gotten the channel/frequency mapping wrong, their fLOW is the highest DECT frequency, their fHIGH is the lowest DECT frequency; DECT channels go from 0-9 starting at the highest frequency, and channel 9 being the lowest frequency. Here's what I measure with the gigaset jammer:



Now if our attacker is lucky she find's the victim's FP in channel 0, 5 or 9. She can also wait until it jumps there. She adds a directional antenna to her crappy old gigaset, pointing to the victim's PP, and is much more efficient with the above attack.

3 writebacks

writebacks...

Jack wrote
what the manufacturer of the spectrum
analizer?
mazzoo wrote

Agilent
Jack wrote
why not?
"Any further details or implemetaions weren't and won't be released by the dedected.org team."

comment...

 
Name:
URL/Email: (optional)
Title: (optional)
Comments:
Save my Name and URL/Email for next time

validate HTML