« Mailbox Full of Goodies | Main | Magstripe Analysis Part 2 – HiCo and LoCo Cards »
Saturday
Jan032009

New Attack Against DECT Could Allow Attackers to Monitor Encrypted Headsets

At this year's Chaos Communication Congress (CCC) a number of new vulnerabilities and tools were released. So far the SSL vulnerability has gotten the most press. However the presentation that really caught my eye was simply named “DECT”. This presentation was given by the deDECTed.org team consisting of Andreas Schuler, Ralf-Philipp Weinmann and Erik Tews.

Before I go to far I should give a little background on DECT. In short DECT is a wireless protocol, mainly used by cordless phones in Europe. The original DECT standard could not be implemented in the US because it operated in a frequency range that was already in use in the US. However DECT 6.0 fixed this by operating in a frequency range legal for use in the US. It is important to note that before DECT 6.0 bastardized versions of DECT were still used in the US.  These bastardized versions were often referred to as "frequency shifted DECT" and are basically DECT implemented on frequencies that agreed with the US band plan.  For example I've seen a number of "frequency shifted DECT" headsets operating in the 2.4GHz ISM band.

Now that we know what DECT is what could the deDECTed.org team do with it? First the team found a way to monitor DECT traffic using a DECT PCMCIA card that cost about $30. In the past only very expensive sniffers could monitor DECT traffic. If a DECT call is not encrypted the $30 sniffer could be used to listen in on the voice calls. This is bad but not too surprising. With the rise of software defined radios someday someone would build an inexpensive sniffer. For example some folks have been working on making software to allow the GNU Radio to monitor DECT. Conversely the deDECTed.org team also developed some, not yet released, software that allows the GNU Radio to monitor DECT.

The real surprise came in when they found a way to monitor encrypted DECT transmission! In this case they basically used the PCMCIA cards to setup a fake base station and perform a man-in-the-middle (MITM) attack against the encrypted traffic. From what I can tell the fake base station just tells the handset to disable encryption and in most cases the handset simply disable encryption and continues the call in the clear. However this is just an educated guess based off of what I've read so far. When I have more details on this I'll let you know. Its worth noting this attack did not work against every device that supports encryption.

Over the years I've assessed a number “encrypted” wireless headsets that use DECT or “frequency shifted DECT”. The big question is are these encrypted headsets vulnerable to this MITM attack?  If they are many of the encrypted digital headsets used in corporate America would be vulnerable to this attack.  To be clear I am referring the wireless headsets that connect to a desk phone, I am not talking about the Bluetooth headsets used with cellphones.  At this time I do not know if these headsets are vulnerable but given how poorly some of the manufactures implemented encryption in these devices I suspect a large number of them will be vulnerable.  In a future post I'll cover some key management problems I've seen when assessing these products.

To find the answer to this questions I am in the process of ordering some COM-ON-AIR cards so I can test out these attacks in my lab. A GNU Radio has also been on my wish list for a while so it might be time to spend the $1000 to pick one up to play with. I'll keep you posted on what I find out!

References (4)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: buy a computer
    [...]MatthewNeely.com - Security Second Thoughts - New Attack Against DECT Could Allow Attackers to Monitor Encrypted Headsets[...]
  • Response
    Response: your domain name
    MatthewNeely.com - Security Second Thoughts - New Attack Against DECT Could Allow Attackers to Monitor Encrypted Headsets
  • Response
    MatthewNeely.com - Security Second Thoughts - New Attack Against DECT Could Allow Attackers to Monitor Encrypted Headsets
  • Response
    MatthewNeely.com - Security Second Thoughts - New Attack Against DECT Could Allow Attackers to Monitor Encrypted Headsets

Reader Comments (2)

Great post.

I've not had a chance to write anything up yet, but I've been playing about the the DECT_CLI program and a com-on-air card for a week or so now (doing a few demos for internal people along the way). Testing seems to be a little hit and miss, with random results based on when you start to record a call. Still, the software is only in early alpha stages (I guess). The Plugins for Metasploit, Kismet and the like are interesting but only PoC code really.

I've also got a Plantronics CS60 DECT based headset sitting on my desk for testing. I'll let you know how things go once I've had time to run some tests.

I've not looked at the fake base-station attack yet, but it doesn't seem to be an option in the DECT_CLI program as yet. Do you have any more information on this attack vector ?

ChrisJohnRiley

February 20, 2009 | Unregistered CommenterChrisJohnRiley

Chris,

I have not yet been able to play with the DECT_CLI program. Once my presentation schedule slows down I hope to get back into playing with DECT.

Keep me posted on what you find out about the CS60.

Cheers,
Matt

March 6, 2009 | Registered CommenterMatt

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>