26C3: Encryption code for DECT mobile phones cracked

In addition to the crypto algorithm of the GSM mobile telephony standard, security researchers have also cracked the encryption code for calls from cordless phones that are based on the widely used Digital Enhanced Cordless Telecommunication (DECT) standard. This was announced by members of the deDECTed.org project group at the 26th Chaos Communication Congress (26C3) in Berlin on Tuesday. According to the researchers, the respective key used can be extracted from intercepted data traffic with a reasonable amount of effort. The experts think that such prep work will make the DECT Standard Cipher (DSC) "increasingly easier and faster to crack".

At last year's hacker conference, members of deDECTed had already pointed out severe flaws in the implementation of the DECT security features. They had used a modified laptop card and a Linux computer for intercepting DECT phones. When running their tests, the researchers noticed that occasionally no encryption process whatsoever exists between the transmitting base station and the handset. Often, the handset simply authenticates itself at the base station in the same way that is stipulated by the GSM mobile telephony standard. In other devices, the base station did authenticate itself, but without encryption. In all of these cases, the hackers were able to record active conversations in plain text.

At the time, however, the group was unable to successfully simulate an attack on the secret DSC. Now, the researchers have made further progress, which effectively means that phone conversations via DECT devices must be considered insecure even if a vendor has correctly implemented the standard's prescribed encryption features. According to crypto researcher Karsten Nohl, who has since joined the deDECTed team, one of the reasons for this is that engineers already worked sloppily when implementing the encryption code, reducing the initially planned additional process security measures such as redundant rounds in favour of a faster encryption.

The experts soon found first indications that "something's wrong with the encryption" of DECT, said Nohl. According to the researcher, the use of a proprietary cryptography standard whose operational principles are undisclosed, for instance, almost guarantees that the process will be easy to crack. The researchers were reportedly also unable to locate a good method for generating the random numbers required by the encryption mechanism. They generally found "a lot of design flaws", said Nohl. For instance, the wireless standard fully trusts the base station although the secret key is stored in the handset, he said.

According to Darmstadt-based crypto researcher Erik Tews, DSC is slightly more sophisticated than its A5/1 counterpart for GSM. An illustration in the relevant patent document shows that the algorithm consists of four registers with a total of 80 bits, he explained. The generated keys are reportedly loaded by a control unit at irregular time intervals. This process is always preceded by 40 redundant rounds, which simplifies intercepting the encrypted data stream, said the researcher. Furthermore, the hackers reportedly found a write command that proved useful in reverse engineering.

Tews described a laborious piecemeal process in which the researchers repeatedly used algebraic methods and a modified variant of a Linux-based DECT protocol stack to compare the assumed sequences within the encryption registers with the actual data they measured. Once they had found a few "crack here" signs, they started a linear cryptanalysis, he said. This reportedly enabled them to establish a register's number of clock cycles with a probability of 12 per cent. By evaluating half a million intercepted encrypted data streams, the researchers then reportedly managed to crack the DSC on a PC. The group intends to publish more details in mid January.

It was also necessary to figure out the precise operation of the DECT encryption code, Tews explained the group's next steps; one way of achieving this is to analyse the control traffic via the "A field" of the cordless phone's appropriate C channel, said the researcher. In addition to the dialled number sequences or constantly updated information about the duration of the current conversation, this traffic apparently also contains the required "keystream". The researchers reportedly needed 24 hours of recorded data material to establish the actual key used. Evaluating the B field, which generally contains voice data, reportedly allows the process to be completed much faster based on three hours of data traffic. However, this requires silence to be transmitted, said Tews. This is apparently the case when the handset is used as a "bug", for example when used as a baby monitor.

Before the presentation, the researchers informed the DECT forum of their findings. The alliance behind the standard acknowledged PDF the vulnerabilities and referred the researchers to a new, open cryptography approach it is co-developing with the European Telecommunications Standards Institute (ETSI). An appropriate short-term update of DECT is reportedly already scheduled to be adopted in spring 2010. The forum is apparently also in the process of establishing a formal certification procedure for DECT-based devices and intends to discuss further improvements with the deDECTed team. Until then, the group itself recommends that users only buy phones whose firmware they can update manually. In general, it is advisable to keep conversations on cordless phones short and avoid silence, said the experts.