CCC Hackers Break DECT Telephones' Security 116
Sub Zero 992 writes "Heise Security (article in German) is reporting that at this year's Chaos Communications Congress (25C3) researchers in Europe's dedected.org group have published an article (PDF) showing, using a PC-Card costing only EUR 23, how to eavesdrop on DECT transmissions. There are hundreds of millions of terminals, ranging from telephones, to electronic payment terminals, to door openers, using the DECT standard." So far, the Heise article's German only, but I suspect will show up soon in English translation. Update: 12/30 21:27 GMT by T : Reader Juha-Matti Laurio writes with
the story in English. Thanks!
Re:I had no idea (Score:5, Informative)
Nowadays those terminals tend to get upgraded to GPRS/EDGE though, but DECT units are still quite popular. Not for that long I guess.
Although, snake oil wireless security is not much of a worry, if there is another layer of end-to-end crypto between the terminal and the billing&processing authority! I wouldn't bet too much on this though...
(on the other hand, even CCC-cracked DECT is still not too bad... was apalled to see coupla weeks ago in Geneva, they still print the whole card number and time on receipt slips... OOPS!)
Videos and streams here: (Score:1, Informative)
http://events.ccc.de/congress/2008/wiki/Streaming
Based on the mangled translation... (Score:5, Informative)
..it appears they haven't broken the cipher, but instead managed to trick the handset and base into not enabling encryption in the first place. I'd guess (without any actual information) that it's an active attack where you intentionally interfere to force a disconnect, then trace the reconnection up to the point where encryption is requested, then fake a packet with encryption not requested (it's TDMA so you know exactly when it is going to come). For cordless phones this is a problem, but for PIN terminals and other dedicated DECT devices, it should in theory be simple to refuse to make certain non-encrypted connections or transmit sensitive data over them. However, in actual practice, nothing involving DECT is simple...
Heise UK (Score:5, Informative)
English version of this article can be found here:
http://www.heise-online.co.uk/news/25C3-Serious-security-vulnerabilities-in-DECT-wireless-telephony--/112326 [heise-online.co.uk]
Re:I had no idea (Score:3, Informative)
It's been around in Canada for about a year... my last Visa card, which expired in November, didn't have it. My current Visa card does. My current Mastercard, which was issued in December 2007, doesn't have one.
I still sign receipts "Check ID". But I've only ever been asked once.
Article in English (Score:3, Informative)
With a laptop aufgebohrten [bohren is to drill] card for 23 euros, according to security experts call on the basis of the widely-used standard Digital Enhanced Cordless Telecommunication simply listen.
Who confidential telephone conversations, you should better not be one of the most popular cordless phones on the basis of the standard DECT (Digital Enhanced Cordless Telecommunication) access. As security experts at the 25th Chaos Communication Congress (25C3) in Berlin said, can easily intercept such communications. What is needed is therefore only a aufgebohrte, actually for the Internet telephony imaginary laptop card for 23 euros and a Linux computer. No problems with the interception of long-distance DECT had this device, as very often when an encryption is not activated. But even at the beginning of encrypted information exchange could plug the card base and pretends to disable encryption.
The approval by the European Telecommunications Standards Institute (ETSI) standard DECT procedure is most widely used for cordless telephones. In addition, the standard in Babyfonen, emergency calls and door-opening systems, cordless EC-card or even in traffic management applications. The number of active DECT terminals in this country alone at 30 million. For the authentication of the base and the associated equipment and for the encryption of data using DECT standard crypto methods.
The algorithms are used in the devices and will all be wired to the public are kept secret. The network master key is not used to leave. In theory, see that everything from sound, said Erik Tews, one of the researchers involved the discovery of the TU Darmstadt. The practice, however, as various workarounds and attack surfaces.
After the hackers initially a fairly expensive and high processor performance requirements DECT sniffer had built, they found, according to Andreas fellow students with the ComOnAir card "another beautiful hardware" for the reception of data traffic. After a reverse engineering, the replica of the circuit diagram, the retrieval of Fimware and the AnlÃten some additional lines was scarce after a month of looking, for example, from a house in front of a parked car use sniffer been completed.
The inventor was quickly noticed led Tews went on to say that sometimes have no authentication or encryption process between the transmitter station and the handset will be activated. Often authenticate the phone only to the network as the GSM cellular standard, although in principle, DECT also the network to the receiving unit as it could identify. For other devices, is a successful authentication, but without encryption. In all these cases, the PCMCIA card with a special Linux driver active discussions track, extract the data on a storage medium and write an audio player such performance can. It should have been possible, in any conversation in such a poorly secured DECT network recorded.
If the handset is encrypted conversations have had the case not much more difficult, said Tews. Using a modified driver and a script you have the base issue as sniffer and data traffic, thanks to the support VoIP on an Asterisk server, and also redirect you. A breaking of keys had been necessary because when emit a signal that encryption is not supported, to communicate in plain had been converted. "It works on all systems, which we have found here", underlined the Darmstadt researchers vulnerability DECT standard implementations.
Even when encryption system itself was the first hacker sticking points. According Tews succeeded them, a reverse engineering of the central DECT Standard Authentication Algorithm (DSAA) and its four sub-models to implement. A research report on the project site dedected.org finding implementations and source code for the programming languages Java and C will follow soon. Quite the DSAA is broken so far but not yet.
On the well kept secret DECT Standard Cipher (DSC) is in accordance with Ralf-Philipp Weinmann of the research team is also still no effective attack. A paten
Re:Free speech! (Score:4, Informative)
I'm glad Germany seems to have backed down from its anti-hacker legislation. Wasn't it last year we heard they were threatening their security experts and admins with legislation to take away even such benign utilities as password recovery tools?
They are far from backing down. Over here security auditing and related actions are still threatened by excessive copyright protection laws (existing or in the making). As they are in the US by e.g. the DMCA.
Re:I had no idea (Score:4, Informative)
Re:Free speech! (Score:1, Informative)
German Legisltive has already passed has a very strict bill (Paragraph 202c StGB) in August 2007 and we have since been sourcing out certain penetration tests for out customers to freelance developers in Switzerland and Israel.
IT industry doesn't have a lobby in Germany and legislators behave like in a third world country in this regard. (Echt scheisse ist das!)
You also might have noticed that many papers that where presented during 25C3 were not signed any more but anonymous submissions. In some oint