Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCC Hackers Break DECT Telephones' Security

Posted by timothy on from the distibuting-dialtone dept.

Sub Zero 992 writes "Heise Security (article in German) is reporting that at this year's Chaos Communications Congress (25C3) researchers in Europe's dedected.org group have published an article (PDF) showing, using a PC-Card costing only EUR 23, how to eavesdrop on DECT transmissions. There are hundreds of millions of terminals, ranging from telephones, to electronic payment terminals, to door openers, using the DECT standard." So far, the Heise article's German only, but I suspect will show up soon in English translation. Update: 12/30 21:27 GMT by T : Reader Juha-Matti Laurio writes with the story in English. Thanks!

9 of 116 comments (clear)

  1. Ok, somebody has to. by fuzzyfuzzyfungus · · Score: 5, Funny

    All your base station are belong to us.

  2. I had no idea by Ender_Stonebender · · Score: 4, Interesting

    Wow. I had no idea that people were using DECT phones to process payment cards*, but a breif Google search turned one up. I guess I've always made the assumption that there is no way to validate the security of wireless connections, so they should always be considered insecure. Do I just have a paranoid mind, or do other geeks think like that to?

    * "Payment cards" includes credit, debit, gift card, etc.

    --
    Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
    1. Re:I had no idea by Chep · · Score: 4, Informative

      those terminals are here *everywhere* (France). Drive up to McD's, order stuff, you get handed the terminal, put your card in, punch your PIN, there you are.

      Nowadays those terminals tend to get upgraded to GPRS/EDGE though, but DECT units are still quite popular. Not for that long I guess.

      Although, snake oil wireless security is not much of a worry, if there is another layer of end-to-end crypto between the terminal and the billing&processing authority! I wouldn't bet too much on this though...

      (on the other hand, even CCC-cracked DECT is still not too bad... was apalled to see coupla weeks ago in Geneva, they still print the whole card number and time on receipt slips... OOPS!)

    2. Re:I had no idea by fuzzyfuzzyfungus · · Score: 5, Interesting

      In a world not ruled by morons and legacy equipment, I imagine that the DECT link would just be carrying a nice SSL session, and it wouldn't much matter.

      However, I submit the following(PDF warning) as evidence that we do not live in such a world, indeed, there is some reason to suspect the exact opposite.

    3. Re:I had no idea by deroby · · Score: 5, Interesting

      Personally I find it scary that people consider 'wired' communications to be 'secure' by default.

      AFAIK most wireless protocols have at least some kind of 'security' and 'encryption' in their design. Granted that quite a few of these have been shown to be "incomplete", but at least there's an effort. Wired stuff on the other hand seems to be optimized for speed (and stability) only, but nobody really cares about security. When someone finds that they can eavesdrop on a wireless keyboard from an unobscured distance of say 5ft, hell breaks loose. But by my recollection there's been 'keyboardloggers' for ages, both in hardware (a "part" you had to put between the computer and the keyboard, something not quite unfeasible when you can get up to 5ft anyway) and software. (**)

      Clearly, wireless is much harder to control (it simply goes through the wall to the house next door), wired isn't all that "unbreakable" either.
      Imho, security would best be handled using software, that way at least it's easier to "upgrade" when a fault in the protocol is found. I doubt we're going to see everyone throw out their DECT phone or whatever anytime soon... Maybe they'll be able to eavesdrop on phone-conversations, and maybe they'll even manage to see what's going up & down when a payment transaction is going on, but I think (HOPE!) the latter will have at least some kind of protection in there to avoid the packets to be tampered with ...

      (**: Frankly, I think the latter is much more widespread than most any of us think since it's so damn easy to create, but that could be me being paranoid)

      --
      If there is one thing to be learned on slashdot, it has to be sarcasm.
  3. Re:Shouting in German by Opportunist · · Score: 5, Funny

    Es gibt Personen die Deutsch verstehen, Du unsensitiver Klumpen!

    Germans are people too!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Based on the mangled translation... by russotto · · Score: 4, Informative

    ..it appears they haven't broken the cipher, but instead managed to trick the handset and base into not enabling encryption in the first place. I'd guess (without any actual information) that it's an active attack where you intentionally interfere to force a disconnect, then trace the reconnection up to the point where encryption is requested, then fake a packet with encryption not requested (it's TDMA so you know exactly when it is going to come). For cordless phones this is a problem, but for PIN terminals and other dedicated DECT devices, it should in theory be simple to refuse to make certain non-encrypted connections or transmit sensitive data over them. However, in actual practice, nothing involving DECT is simple...

  5. Re:Shouting in German by JJJK · · Score: 5, Funny

    Deutsche Schraegstrichpunkter fuer den Gewinn!

  6. Heise UK by Anonymous Coward · · Score: 5, Informative

    English version of this article can be found here:
    http://www.heise-online.co.uk/news/25C3-Serious-security-vulnerabilities-in-DECT-wireless-telephony--/112326