At this year's Chaos Communication Congress (CCC) a number of new vulnerabilities and tools were released. So far the SSL vulnerability has gotten the most press. However the presentation that really caught my eye was simply named “DECT”. This presentation was given by the deDECTed.org team consisting of Andreas Schuler, Ralf-Philipp Weinmann and Erik Tews.
Before I go to far I should give a little background on DECT. In short DECT is a wireless protocol, mainly used by cordless phones in Europe. The original DECT standard could not be implemented in the US because it operated in a frequency range that was already in use in the US. However DECT 6.0 fixed this by operating in a frequency range legal for use in the US. It is important to note that before DECT 6.0 bastardized versions of DECT were still used in the US. These bastardized versions were often referred to as "frequency shifted DECT" and are basically DECT implemented on frequencies that agreed with the US band plan. For example I've seen a number of "frequency shifted DECT" headsets operating in the 2.4GHz ISM band.
Now that we know what DECT is what could the deDECTed.org team do with it? First the team found a way to monitor DECT traffic using a DECT PCMCIA card that cost about $30. In the past only very expensive sniffers could monitor DECT traffic. If a DECT call is not encrypted the $30 sniffer could be used to listen in on the voice calls. This is bad but not too surprising. With the rise of software defined radios someday someone would build an inexpensive sniffer. For example some folks have been working on making software to allow the GNU Radio to monitor DECT. Conversely the deDECTed.org team also developed some, not yet released, software that allows the GNU Radio to monitor DECT.
The real surprise came in when they found a way to monitor encrypted DECT transmission! In this case they basically used the PCMCIA cards to setup a fake base station and perform a man-in-the-middle (MITM) attack against the encrypted traffic. From what I can tell the fake base station just tells the handset to disable encryption and in most cases the handset simply disable encryption and continues the call in the clear. However this is just an educated guess based off of what I've read so far. When I have more details on this I'll let you know. Its worth noting this attack did not work against every device that supports encryption.
Over the years I've assessed a number “encrypted” wireless headsets that use DECT or “frequency shifted DECT”. The big question is are these encrypted headsets vulnerable to this MITM attack? If they are many of the encrypted digital headsets used in corporate America would be vulnerable to this attack. To be clear I am referring the wireless headsets that connect to a desk phone, I am not talking about the Bluetooth headsets used with cellphones. At this time I do not know if these headsets are vulnerable but given how poorly some of the manufactures implemented encryption in these devices I suspect a large number of them will be vulnerable. In a future post I'll cover some key management problems I've seen when assessing these products.
To find the answer to this questions I am in the process of ordering some COM-ON-AIR cards so I can test out these attacks in my lab. A GNU Radio has also been on my wish list for a while so it might be time to spend the $1000 to pick one up to play with. I'll keep you posted on what I find out!