CCC Hackers Break DECT Telephones' Security 116
Sub Zero 992 writes "Heise Security (article in German) is reporting that at this year's Chaos Communications Congress (25C3) researchers in Europe's dedected.org group have published an article (PDF) showing, using a PC-Card costing only EUR 23, how to eavesdrop on DECT transmissions. There are hundreds of millions of terminals, ranging from telephones, to electronic payment terminals, to door openers, using the DECT standard." So far, the Heise article's German only, but I suspect will show up soon in English translation. Update: 12/30 21:27 GMT by T : Reader Juha-Matti Laurio writes with
the story in English. Thanks!
I had no idea (Score:5, Interesting)
Wow. I had no idea that people were using DECT phones to process payment cards*, but a breif Google search turned one up. I guess I've always made the assumption that there is no way to validate the security of wireless connections, so they should always be considered insecure. Do I just have a paranoid mind, or do other geeks think like that to?
* "Payment cards" includes credit, debit, gift card, etc.
Re:I had no idea (Score:5, Interesting)
However, I submit the following [applied-math.org](PDF warning) as evidence that we do not live in such a world, indeed, there is some reason to suspect the exact opposite.
Re:I had no idea (Score:5, Interesting)
Personally I find it scary that people consider 'wired' communications to be 'secure' by default.
AFAIK most wireless protocols have at least some kind of 'security' and 'encryption' in their design. Granted that quite a few of these have been shown to be "incomplete", but at least there's an effort. Wired stuff on the other hand seems to be optimized for speed (and stability) only, but nobody really cares about security. When someone finds that they can eavesdrop on a wireless keyboard from an unobscured distance of say 5ft, hell breaks loose. But by my recollection there's been 'keyboardloggers' for ages, both in hardware (a "part" you had to put between the computer and the keyboard, something not quite unfeasible when you can get up to 5ft anyway) and software. (**)
Clearly, wireless is much harder to control (it simply goes through the wall to the house next door), wired isn't all that "unbreakable" either. ...
Imho, security would best be handled using software, that way at least it's easier to "upgrade" when a fault in the protocol is found. I doubt we're going to see everyone throw out their DECT phone or whatever anytime soon... Maybe they'll be able to eavesdrop on phone-conversations, and maybe they'll even manage to see what's going up & down when a payment transaction is going on, but I think (HOPE!) the latter will have at least some kind of protection in there to avoid the packets to be tampered with
(**: Frankly, I think the latter is much more widespread than most any of us think since it's so damn easy to create, but that could be me being paranoid)
Clipper chip (Score:2, Interesting)
Personally I find it scary that people consider 'wired' communications to be 'secure' by default.
Back in the '90s there was a big fight in the US about the Clipper chip, [slashdot.org] and forcing every phone in the US to have an encryption chip, with the keys being escrowed and only available via a court order.
While there were many reasons to be against it, I never understood why some people used the argument that the government could always secretly access the encryption keys. Given the fact that all phone calls are in the clear to begin with, adding the Clipper would actually add some security--if not against the government, then at least against someone attaching some alligator clips to your landline.
Your landline is just a bunch of voltage fluctuations, and after the "last / first mile" a bunch of bits--both of which can be tapped very easily. Unless we all start using STU-IIIs [wikipedia.org] it's simply best to assume that you're being tapped. (And even with STU-IIIs you still have to worry about traffic analysis [wikipedia.org].)
Re:I had no idea (Score:2, Interesting)
Not necessarily, there are two modes that you can use the EMV cards in. Plaintext offline PIN, and Encrypted offline PIN. In plaintext offline PIN the card reader presents the PIN to the card in plaintext.
Guess which mode most of the UK cards use, Go on, Guess. (Hint: it's not encrypted.)
Re:I had no idea (Score:3, Interesting)
Interesting reading. My card is signed with my real signature, which matches the one on my passport (which I carry when overseas) and my drivers' license. It's the receipt which I sign as "Check ID". I haven't yet called Visa on them, but I'm tempted to after reading that agreement. If nothing else, it means that they aren't actually checking the signature against the card.
Re:So then.... (Score:3, Interesting)
Chinese whispers.
Re:The difference is simple (Score:3, Interesting)
Wired is only as secure as the door on the phone equipment room, which in my building is shared by several businesses, and is often open as I walk by.
Re:I had no idea (Score:3, Interesting)
"Nowadays those terminals tend to get upgraded to GPRS/EDGE though, but DECT units are still quite popular. Not for that long I guess."
Oh, yes, now I do feel so much safer. Trust me if I say that at least in the GSM world, security is rather haphazard. There have been many issues, including broken SIM's etc. etc. If I take a look at the specs, I don't feel safe against eavesdropping *at all*. I don't know if GPRS is any better, but my guess is that it is not.
Anyway, even if it is safe, the chances of listening in *after* the stream has been decoded are very high. There is *no* end to end security when using these technologies. For that reason, e.g. the government will never break in using the wireless network because it is much easier to break in elsewhere. Of course, chances of doing this anonymously are much lower than a direct attack on the wireless protocols.
Basically, if you are using things like payment over any wireless network, I agree with you that the implementers must put security at the application level, using end-to-end security. Otherwise the protocol is broken by default. Does anyone here trust that all these wireless access points have been updated to the latest firmware? Because I don't.
Note: I'm agreeing with the parent here, just deepening the discussion a bit.