Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

DECT phones and POS terminals are vulnerable

And so is son of DECT, the super-digital CAT-iq

Article comments

German security experts have built a cheap laptop-based sniffer that can break into cordless phones, debit card terminals and security door mechanisms - and the same gear will also work on the next generation of DECT, known as CAT-iq.

The attack on DECT, demonstrated at the 25th Chaos Communications Congress in Berlin on 29 December, used a Linux laptop with a modified €23 laptop card. It can intercept calls and information directly, recording it in digital form. Even if encryption is switched on, the system can bypass encryption - simply by pretending to be a base station that doesn't support it.

The DECT protocol is used in many millions of cordless phones, as well as in wireless debit card readers, security doors and traffic management systems. It has encryption built in, but the protocol is kept secret. At one time DECT was expected to be replaced by Wi-Fi, but it is being built into broadband routers, and a new generation of DECT is being prepared under the CAT-iq brand.

"CAT-iq merely adds new features such as wideband codecs and audio/video streaming to the existing DECT standard," said Ralf-Philipp Weinmann, a a cryptographer working in the LACS group at the University of Luxembourg, and part of the Dedected group that demonstrated the DECT problems. "It does not change anything security-wise. Hence our attacks apply to products implementing CAT-iq as well."

If they can't get encryption to work, all the most popular phones will happily revert to unencrypted communications, said Andreas Schuler, from the Dedected group: "A phone should break the connection if the encryption is rejected, but the priority from the manufacturer lies on interoperability not on security, so this is accepted to make the phones work with more (unsecure) stations."

It is not clear whether the same method would work on debit card reading systems, since these may enforce the use of encryption, or employ higher level encryption such as SSL, said Weinmann. "We haven't been able to verify whether any POS terminals actually do reject unencrypted communications," said Weinmann. "If however the UAK - the master secret shared between the base station and the terminal - generated during the pairing of the POS terminal with the base station is weak, then all communications can be decrypted anyway."

More fundamentally, DECT's use of a secret encryption algorithm is wrong, warned Weinmann: "Both the DECT encryption algorithm (DSC) and the DECT authentication algorihm (DSAA) were unpublished and have hence not been subject to scrutiny by outside experts. [Telecoms standard maker] ETSI really should be using peer-reviewed algorithms, and I hope that in future standards DSC and DSAA will be replaced with published and peer-reviewed algorithms."

The Dedected group has partially reverse-engineered the DECT encryption system, which should be replaced, said Weinmann, much as already happened with GSM and 3G encryption.

One positive note is that the move to integrated DECT into devices like broadband routers will make it easier to secure individual systems, said Weinmann. "Integrated boxes and higher-end telephone systems allow for flash upgrades of their DECT stack. This allows the most blatant security issues to be given at least some band aid."


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *