CCC Hackers Break DECT Telephones' Security

Sub Zero 992 writes "Heise Security (article in German) is reporting that at this year's Chaos Communications Congress (25C3) researchers in Europe's dedected.org group have published an article (PDF) showing, using a PC-Card costing only EUR 23, how to eavesdrop on DECT transmissions. There are hundreds of millions of terminals, ranging from telephones, to electronic payment terminals, to door openers, using the DECT standard." So far, the Heise article's German only, but I suspect will show up soon in English translation. Update: 12/30 21:27 GMT by T : Reader Juha-Matti Laurio writes with the story in English. Thanks!

Free speech!

[Anonymous Coward]

In Soviet America, they wouldn't be allowed to publish this.

Re:I had no idea

[uffe_nordholm]

Unfortunately I don't think it the geeks thinking like you do who are the problem. I think the problem is the managers who make decisions based on what can be sold to the public, as long as the public doesn't find out some small dark secret...

As for me, I consider wireless communication insecure, but I don't always bother about it. It boils down to a balance of potential damage and cost (not only money but also time/impracticality...) of securing the communication.

Re:Hey Faggots

[Anonymous Coward]

Why someone who consider us insignificant would hate us?</justSaying>

Failbait.

Re:I had no idea

[sxpert]

hmm. last I checked, bankers didn't really care, as long as the people using their services thought their transactions were "secure"

The difference is simple

[aepervius]

Wired imply physical access, possibly leaving trace either in software or in hardware. If you leave trace you are therefore detectable and vulnerable yourself to be caught. Wireless on the other hand is another worm. You can read the comms without anyone knowing you ever accessed to it. And even if it is only from 5ft away, you can hide the material and it not be visible on you particularly on public place. Which is why hell break loose on any widely publicly used wireless communication is proved to be vulnerable to heavesdropping, whereas comms where you have to physically have access don#t do so much.

Re:I had no idea

[jonbryce]

No, because while they are swiping it, they can also take a clone copy of the card to sell to criminals. At least that's what happens in Britain, and for that reason we are advised not to let our cards be taken out of sight.

Don't you have chip & pin yet? France has had it for about 15 years now, and Britain has had it for a few years.

Re:I had no idea

[Archangel Michael]

"Personally I find it scary that people consider 'wired' communications to be 'secure' by default."

No, you misunderstand. Nothing is "secure". It is a grades of security. In this case, wired communication is MORE secure than wireless.

Anyone suggesting perfect security is either a fool, selling something, or a liar ... or all three.

Re:Clipper chip

[Kadin2048]

The Clipper chip concept, as applied to telephones, had several big issues. First (as someone else points out), the mere existence of Law Enforcement / NSA keys, held somewhere in a vault, is a security risk. Those keys could leak at some point, and then the entire infrastructure is worse than useless.

Second, a lot of privacy-minded, government-distrusting people saw the situation Clipper would create as being worse than having no security at all. At least with insecure POTS phones, people of average intelligence get that they're insecure, and can be eavesdropped on pretty easily by both law enforcement and determined third parties with access to the building wiring closet or telephone company switching center. This leads to a demand for secure-communication products (ranging from free products like PGPfone and Zfone, to devices like the Sectera aimed at commercial users), demand which would not exist in an environment where every phone had a Clipper installed.

Put bluntly, the current situation (where "no security" is the default) allows -- some would say forces -- users who have a mild need for security, for instance just enough to prevent casual interception, to buy aftermarket products. These purchases keep a thriving non-governmental security industry going, and essentially subsidize the relatively small number of people who really need security not only from casual interception but from the government as well.

If you take on premise, as I and a fair number of other people do, that it's a Good Thing to have the ability to communicate without being spied on by your government (this is outside whether you personally actually think you need it, much less take advantage of it; just that the capability is there if you for some reason wanted to), then Clipper would have been a disaster. The only way it looks like a good idea is if you negate completely the value of having communication channels free of government backdoors (or even better, if you consider the elimination of any channels free from government snooping to be a net positive), which if it was borderline defensible in 1994 seems truly insane today.