25C3: Serious security vulnerabilities in DECT wireless telephony
If you want to keep your confidential telephone calls confidential, you'd be well advised to give telephones based on the widely-used DECT (Digital Enhanced Cordless Telecommunication) wireless telephony standard a miss. Security experts at the 25th Chaos Communication Congress (25C3) in Berlin have been explaining how easy it is to eavesdrop on such conversations. According to the researchers, all that's required is a souped-up 23-euro VoIP laptop card and a Linux computer. This setup has no difficulty in intercepting DECT conversations if, as is frequently the case, encryption is not activated. Even where data transfer is initially encrypted, the card is able to deactivate the encryption by pretending to be a base station.
The DECT protocol, a European Telecommunications Standards Institute (ETSI) standard, is the world's most popular wireless telephony protocol. The standard is also used in baby monitors, emergency call and door opening systems, wireless debit card readers and even traffic management systems. In Germany alone, where 25C3 is held, there are an estimated 30 million active DECT devices. DECT uses standard cryptographic procedures for authenticating the base station and terminals and for encrypting data transfers.
The algorithms used are hard wired into the devices and are not publicly disclosed. The keys used do not leave the originating network. As Erik Tews, one of the researchers from the Technical University of Darmstadt, involved in the discovery explained, in theory this all seems perfectly sound. In practice, however, there are various ways of getting around this and various attack points.
According to co-researcher Matthias Wenzel, having previously built a very expensive DECT sniffer, which required very high processing power, the team found an alternative hardware set-up for intercepting the data traffic in the form of the ComOnAir PCMCIA card. After just under a month of reverse engineering, reconstruction of the circuit diagram, hunting down the firmware and soldering on a few additional circuits, the goal of creating a sniffer that could be used from a car parked in front of a house, was achieved.
Tews explained that the boffins quickly noticed there was sometimes no authentication or encryption process between the transmitter station and the handheld device. In many cases, as with the GSM mobile communications standard, the telephone only authenticated itself against the network, even though, according to the DECT protocol, the network can in principle also authenticate itself against the receiver. Other devices authenticated themselves, but the authentication process was unencrypted. In all these cases, the PCMCIA card was, using a special Linux driver, able to eavesdrop on conversations, extract and write data to a storage medium and forward this data to an audio player. In such poorly secured DECT networks, it was possible to record every telephone conversation which took place.
Tews stresses that even where the handset did encrypt conversations, eavesdropping was not made much harder. Using a modified driver and a script, they succeeded in getting the sniffer to impersonate a base station and, thanks to VoIP support, divert the data traffic to an Asterisk server, where again it could be recorded. It was not necessary to crack any keys, since communication reverts to plain text when transmitting a signal which does not support encryption. The Darmstadt-based researcher stressed the vulnerability of standard DECT implementations, saying "This works for all the systems we looked at here in Germany."
The researchers also found some initial points of attack in the encryption system. According to Tews, they succeeded in reverse engineering the central DECT Standard Authentication Algorithm (DSAA) and its four sub-implementations. A report on the research can be found on the dedacted.org project site, with implementations and C and Java source code to follow. However, DSAA is not as yet completely cracked.
According to another member of the research team, Ralf-Philipp Weinmann, there is as yet no effective attack on the confidential DECT Standard Cipher (DSC). A patent lodged in Spain and the US by Alcatel has however, according to Weinmann, proved very helpful in tracking down potential weak spots in the code. The random number generators required for the encryption process have proven to be none too robust, so that they can also be used to simulate handsets and decipher encrypted conversations. Weinmann also announced that the next version of the WLAN sniffer, Kismet, will support DECT. The update to Kismet does not remove the need for the ComOnAir card as DECT and Wifi operate on different frequencies.
For more reports on the 25C3, see also:
- 25C3: More light shed on "denial of service" vulnerabilities in TCP
- 25C3: Reliable exploits for Cisco routers
- 25C3: Cracks in the iPhone security architecture