After fighting with my VMWare install under Ubuntu 10.04 (yes, I know…. it’s Alpha, why is that on your main box!!!) last night after the release, I finally got a chance to play a little with the exploit today in a test environment. As you can imagine the exploit is simple to use and works like a charm (at least in the testing I’ve done). I’ve put together a quick video of the exploit for those that want to show their management types why this is such a serious issue.

I particularly like the addition of the migrate -f automatically into the exploit (see ’show advanced’). This spawns a new notepad process and migrates to it so that if the victim closes/kills IE, the meterpreter session won’t be automatically killed along with the process. You learn something new everyday!

Microsoft have now posted a number of workarounds (most centered around disabling or limiting access to the peer class). For more information checkout KB981374 and CVE-2010-0806

All credit for the exploit goes to Tracer, All credit to HD Moore and the Metasploit team for producing such a great tool, for people like me (another tool), to rely on so much.

Keep up the good work.

Jayson was no bikini model, but he did his best

Unlike the snow in Washington, Shmoocon has come and gone. What an experience… People always said it was a one of the best conferences to attend, and now I know why. Everybody there was friendly, knowledgable and certainly up for a party. Just the right kind of environment to learn something new, meet new faces and catchup with others. Still, as I sit on a plane winging its way back to Austria, I can’t help but think about the total chaos caused by the Washington snow.

If you were anywhere near Washington the last few days you can’t fail but to have been effected by the snow storms and the resulting aftermath. As you can imagine, it was a source of much discussion at Shmoocon, especially for me and Benny (@security4all), as we were booked into a hotel 10 minutes walk from the conference. That’s 10 minutes without the snow

In among these discussions, an idea came up that intrigued me. If you think about it, the snow wasn’t the real problem. After all, lots of countries get this kind of snowfall on a regular basis. Personally, I deal with this kind of thing for ~4 months of the year back home in Austria. So what was the problem? what caused all this disruption? The problem was that Washington wasn’t prepared to deal with the issues that came up as a result of the snow. There was nobody to clear the streets, the airports couldn’t clear the runways, and the metro lines were blocked. This is all normal stuff, and if it snows regularly, you’ve got response plans in place. Everybody knows their roles, and does them well. In Washington, this kind of snow is such a rare occurence, that nobody knew what to do. At least that’s how it appeared from the point of view of an onlooker. There just wasn’t enough people ready to deal with things in a timely manner. Those that were ready didn’t have the resources or experience to deal with things quickly and well.

Gotta love regedit

You can’t fail but see the connection to many of issues we face in information security. Some companies have a incident handling plan in place, others don’t. Everybody gets hit by a security breach sooner of later. How fast your company recovers is all about doing the work now, and not hoping that you can just work it out when it hits. If you’re left scrambling around at 3am, like we saw in Washington, then you’ve already lost the battle. Without planning your resources are going to waste. I saw people on the streets of Washington at 3am, shoveling snow off the pathways. Normally I’d applaud that. After all it was a quick response and it was pro-active. Clear the streets before the morning. However, it was still snowing as hard as before, so for every inch that was cleared, another 2 inches of snow were still to come. Add to that the fact that 10 or even 20 people with shovels aren’t going to make a dent in the amount of snow. A typical case of having  the right tool for the right job… or in this case, not having the right tool.

This is typical knee-jerk reaction to an issue. Get out there as quick as you can and clear it up. Still, what can you achieve if the cause of the problem (in this case snow) still isn’t resolved. If an attacker got into your servers, you wouldn’t start rebuilding them before you’d plugged the hole used to exploit them. It’s a vicious circle, that won’t stop until you plan for what could, and eventually will happen. Worse still, in Washington, they knew it was coming before hand, an advantage you won’t often get when it comes to attacks. I could draw analogies here to an IDS warning you of attack attempts, but I think you get my point here. I don’t know who first said it, but “If you fail to plan, you plan to fail”.

Along with the usual conference stuff, I’ll also be taking part in the Podcasters meetup on Saturday night and taking part in the Core Security technical panel. If I can make some last-minute arrangements, I’ll have some Eurotrash Security stickers with me to give away. I will also be trying to do some quick on-site interviews for the podcast, but will have to do some sound checks to see if it’s possible.

I’ve been working on a list of new people to meet when at the conference, it’s by no means complete, but it’s a start. If you’re not on the list, don’t take offense, shoot me a message here or on Twitter and we’ll see what can be done.

• Mubix (Rob Fuller)
• Tkrabec (Tim Krabec)
• Andrewsmhay (Andrew Hay)
• WikidSystems (Nick Owen)
• Bug_Bear
• BIOSShadow (Jacob Kuehndorf)
• Geekgrrl (Melissa)
• grecs
• Masontech (Andrew Mason)
• Nathanhamiel (Nathan Hamiel)
• Gdead (Bruce Potter)
• Vincentkadmon (Georgia Weidman)
• HAK5 Crew
• ….

It’s always hard to pick what talks are must-see, but I’ve picked a couple out that I’ll be trying to attend.

Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals (Larry Pesce, Mick Douglas)

I saw Larry talk a little about this at Defcon, but I’m looking forward to the whole thing. I don’t think organisations think enough about this kind of data exposure, and people should be building this into the “data exposure” testing regime for their company  (if they’re doing it at all).

The New World of Smartphone Security – What Your iPhone Disclosed About You (Trevor Hawthorn)

I’ve been getting more and more interested in iPhone (in)security recently. So hopefully this talk will give me some motivation to finish my own research into iPhone profile security.

Social Zombies II: Your Friends Need More Brains (Tom Eston, Kevin Johnson, Robin Wood)

After the first version of the talk (at Defcon last year) this update should be fun. Plus Tom was the one who came to the rescue and got me a ticket, Kevin has to autograph my GWAPT certificate and Robin is just a great guy….

GSM: SRSLY? (Chris Paget, Karsten Nohl)

I missed this presentation at 26C3 as the room was full, so I hope that the rerun will be just as interesting. Plus, more information was forthcoming about A5/3 cipher… Oh, and Karten promised to come on Eurotrash, so I need to remind him

Exposed | More: Attacking the Extended Web (Nathan Hamiel)

Gotta love Web Application penetration testing !!!

The Friendly Traitor: Our Software Wants to Kill Us (Kevin Johnson, Mike Poor)

I haven’t seen Mike since a SANS conference in 2008 (Amsterdam) so it’ll be nice to say hi again…. Plus, anytime you can see Mike talk, it’s a WIN.

Anyway, I hope to see you there….

If the susbtitles are a little large and don’t fit the screen, please click the video and view it directly on YouTube’s site.

TV-Total

09 November 2009

Stefan Raab (Host/SR): Now we have a young man with us that, How should I say, some people may see him as a criminal, but he’s a hacker. He’s a very very sincere hacker. He was the youngest hacker to speak before Microsoft and CIA experts at the worldwide hacker conference in Las Vegas. please welcome, Mr Peter Kleissner.

<entrance music>

SR: Hello Peter, you’re 18 years old ?

Peter Kleissner (PK): Yes that’s right.

SR: So how criminal are the things you do ?

PK: Half criminal

SR: Not criminal at all ?

PK: Half criminal

SR: Oh, half criminal ! Have you already had problems with the authorities ?

PK: Partially, but nothing really serious

SR: Why what have you done ?

PK: Because I haven’t done anything very criminal such as hacking into bank accounts…

SR: But you could when you wanted ?

PK: Theoretically

SR: Theoretically ?

PK: Yes

SR: Na na na <roughly translates to tsk tsk, naughty>

<crowd laughs>

SR: So how endangered are normal computer users without much awareness ?

PK: Well I’ve also hacked your website. Yesterday.

SR: You’ve hacked our website ? What have you hacked ? what can you do with it ?

PK: Well when you go on my blog, or on twitter, there’s a link to the TV Total website that says that the program is cancelled.

SR: You can do things like that ?

PK: Yep. The people read that

SR: And then ?

PK: Then they think the program’s cancelled.

SR: Oh ok. You can do that of thing. Very interesting. Do you already know how long you have to spend in jail for that ? or …

PK: Ui <surprised>

SR: .. hasn’t it arrived in the post yet ?

PK: It’s on its way

SR: Can you only do that kind of thing on websites, or could you get access to the private… the private email account of… “Angela Merkel”

PK: Yes, with enough equipment and time

SR: Really ?

PK: It happens all the time that famous people have their accounts hacked and their emails made public. It happens a lot.

SR: What do you have to take care of if you’re a normal computer user ?

PK: When you get an email from me, I wouldn’t open the attachment.

SR: So that means you have to open the email ?

PK: Yes thats the vulnerability.

SR: So if you don’t open up the email from unknown senders then nothing can happen ?

PK: Yes

SR: or is it enough when I’m just online ?

PK: It depends. There are various possibilities.

SR: So you sit in a car with an antenna looking for wireless networks to hack into, so that you can see which porn sites the other people are looking at currently ?

PK: Yes

SR: You could do that ?

PK: Yes. But I don’t

SR: <laughs> Do people think that you don’t do it ?

PK: No

SR: This opens up loads of possibilities. How did you get into it ? what did you have to learn to be able to do it ? Was it hard to learn ? you’re only 18 after all. How long have been look into this subject ?

PK: I started about 2 years ago, I worked for an Anti-virus company and I learnt everything about viruses there.

SR: You have recently done a presentation at the world-wide hacker conference in Las Vegas, and spoken there with Microsoft and CIA experts. Can they learn something from you ?

PK: definitely !

<crowd laughs>

SR: So they can learn something from me, I can tell you how I got into your website and how to prevent it.. as long as you give me money. Is that your business model ?

PK: My business model is that I tell software developers how to secure their systems.

SR: That’s what I said.

PK: Yeah well, kinda.

SR: So you first find a potential customer and show them the failures in their software. In cases where it might happen again you can sell them a system/process to prevent it ?

PK: Exactly

SR: Isn’t that blackmail ?

PK: No. Only the way you say it.

SR: So it’s a business model…

PK: Yes

SR: .. you would say

PK: definitely

SR: Is that how you want to earn money in the future ?

PK: Yes, I already do like this. It works well

SR: Putting all this aside, the hacking of a website is already a criminal act !

PK: Yes

<Peter looks for nearest exit / crowd laughs>

PK: That’s right.

SR: What kind of fines would you have to pay if you got caught ?

SR: If you hack a site like TV-Total and write that the programs cancelled for example !

PK: But normally nobody is interested in that

<crowd laughs>

SR: If nobody goes to court, then there’s no crime ! <proverb>

<crowd laughs>

PK: There’s still foreign countries I can escape too

SR: Ok, but then you’re never allowed back !

PK: <laughs>

SR: That’s not so… Ah yes, you have to go back to Austria. Austrians look forward to going home !

SR: So what does the future hold for you ? You’re still in school correct ? You’re doing your A-Levels ?

PK: Yes

SR: And then ?

PK: I want to go to University. To study Computer Science (Informatik)

SR: I thought you already knew everything  ?

PK: Not everything, there’s still something to learn.

SR: Ok

PK: … and to brag !

SR: To brag ?

PK: Yes. I have to spend my time somehow.

SR: Do you need some special equipment for what you’re doing ?

PK: No a normal notebook is enough.

SR: A normal notebook ? and then the right knowledge.

PK: Exactly.

SR: Understood. So I wish you, at the very least with your legal activities, every success… and keep your fingers away from illegal stuff. Promise me that ?

PK: Yes

SR: Peter Kleissner ladies and gentlemen.

<entrance music>

In honor of the past and the future I’ve made a few (subtle) changes to the blog. Gone is the änal security guy (long story, ask me over a few beers) and I’ve gone back to using a nickname that I’ve not used in 5 years or so, catch22 (catch for short). That too is a long story, but at least the domain name c22.cc makes a little bit more sense now. Oh and I won’t have so many problems with badly programmed web-filters marking the blog as porn (hence the ä in the old title).

So what’s to come for me in 2010 ? It’s going to be another busy year I think. Lots of conferences planned already, and lots of things to get done. I’ve also come up with a few new years resolutions, and I plan to stick to them (this time). By posting them here you guys can all hassle me and call me a big fat liar if I don’t come through with the goods as well. No pressure

• Diet –> Because too many cons have taken their toll on my once slender and toned figure
• Friends –> I’m notoriously bad for losing contact with people and spending too much time locked in a room alone… time for a change
• Read more –> I keep getting new books, so time to read more and …
• Watch TV less –> To make room for the books, friends and …
• Projects –> Finish some, instead of leaving them half-finished with a blog post promising “more on that later”
• Charity –> Life’s been good to me even through tough times. So it’s time to give back !

So, if you see me at a con this year and I’m breaking any of these rules, I give you the right to tell me to my face that I’m an idiot…. trust me, with my willpower, I need all the help I can get !

Happy New Year everyone, and lets hope that 2010 is the year people realise they’re just making things worse (in security and in general).

Stop being part of the problem, and start being part of the solution.

Be good to each other !

Demo is performed using a SanDisk Cruzer Enterprise (FIPS Edition), however is possible on other devices.

• Small mistakes often have a big impact, especially when it comes to complex devices.

USB FDU – (USB Flash Drive Unlocker)

The demo PoC tool was able to unlock the device (make it so that any arbitrary password works) within a few seconds. A number of vendors have already patched this issue and provided updates for their devices (see Links below).

Currently the PoC isn’t publicly available.

Links :

• Cryptographically Secure Paper (DE)
• Papers (SanDisk, Kingston) (DE)
• SanDisk Security bulletin (LINK)
• http://www.syss.de (DE)

In the age of coordinated malware distribution and zero-day exploits security becomes ever more important. This paper presents secuBT, a safe execution framework for the execution of untrusted binary code based on the fastBT dynamic binary translator.

Aim: To visualize and encapsulate running programs to guard and protect the computer system

Problem

• programs can execute any system call
• Security vulnerabilities can be used to execute unintended system calls
• Patches are a reactive form of dealing with the problem

Solution

User-space virtualization encapsulates a running program

• Executed code is checked and validated
• Code can be wrapped or modified
• System calls can be controlled

User-space virtualization is implemented through Dynamic Binary Translation

• secuBT implements a User-Space sandbox
• Dynamic BT used for virtualization layer
• System calls interposition framework – Checks and validates system calls, implements checks to avoid breakout

Static vs Dynamic translation

Static reads the binary, reassembles it into a new binary after processing – This is prone to issues, but is quicker
Dynamic translates all code as it gets executed – This is slightly slower, but improves compatibility

Dynamic Translation implements two levels of code execution:

• ‘Privileged’ code of BT library
• Translated and cached user code

When performing translation the following checks are made:

• All instructions are checked
• All (direct and indirect) jump targets are verified
• All system calls are verified

Security hardening

• Enforce NX-bit
• Check ELF headers, regions, and rights
• Protect internal data structures (mprotect)
• Check and verify (valid) return addresses
• Check and verify indirect control transfers

System Call Interposition Framework

Guards and rewrites all system calls through sysenter & INT 80 redirection to a validation function

The validation function can reimplement the syscall in user-space (allows fake responses or return a value as desired)

This allows a specific set of permitted syscalls to be defined, and unwanted syscalls can be blocked.

Overhead – 7% only using Binary Translation,  increasing to 9% with all security implementations in place

What does secuBT protect ?

• Heap and stack based overflow
• Return to libc style attacks
• Overwriting the return instruction pointer (using shadow stack)

More information can be found at the following locations :

• http://events.ccc.de/congress/2009/Fahrplan/events/3515.en.html
• secuBT paper (PDF)
• secuBT project page (link)

The Chip Authentication Programme (CAP) has been introduced by banks
in Europe to deal with the soaring losses due to online banking fraud.
A handheld reader is used together with the customer’s debit card to
generate one-time codes for both login and transaction authentication.
The CAP protocol is not public, and was rolled out without any public
scrutiny. We reverse engineered the UK variant of card readers and
smart cards and here provide the first public description of the
protocol. We found numerous design errors, which could be exploited by
criminals.

Banks throughout Europe are now issuing hand-held smart card readers
to their customers. These are used, along with the customer’s bank
card, for performing online banking transactions. In this talk I will
describe how we reversed-engineered the cryptographic protocol used by
these readers, using some custom-designed smart card analysis hardware.
We discovered several flaws in this protocol, which could be exploited
by criminals (and some already are). This talk will explain what
vulnerabilities exist, and what the impact on customers could be.

Online banking fraud has increased 185% between 2007 and 2008.

Simple fraud techniques dominate due to poor overall security and awareness :

• Phishing emails
• Keyboard loggers

Some common security measures that UK banks have implemented :

• On-Screen keyboards
• Picture passwords
• Device fingerprinting (using HTTP header information to track and block)
• One-time-passwords/iTAN

All of these are bypassable in one way or another. Whether it’s through MitM style attacks, of faking headers. Commonly however Man in the Browser attacks are used, as it offers a complete control over the victim’s machine. What the victim sees, isn’t what they send/receive.

To combat this, the response must be bound to the transaction to be authorised. Various methods have been implemented, including several UK banks that are now using hardware based challenge/response for authorisation of transactions. These devices conform to the EMV specification v4.2

• Customer enters PIN
• Customer enters transaction details
• Reader displays authorisation code
• Customer enters code into the browser
• Bank verifies the authorisation code in the background

How this protocol works is a closed box.

By building a smart card snooper (based on the Xilinx FPGA development board from Opal Kelly) it was possible to discover information about the underlying protocols.

• Protocol very similar to EMV (used for smartcard payments in Europe)
• Looks like a transaction but cancelled at the last stage
• Contains 2 data items not listed in the EMV specification

Changing some data

By modifying specific pieces of data and leaving others the same, it was possible to observe the reaction of the device. By flipping 1 bit, sometimes the transaction failed, other times the resulting code was different.

• The authentication code comes from the cryptogram generated by the card at the end of the transaction
• The mysterious tag 9f56 was a ‘bit filter’ which selects which bits from the cryptogram are used for the response
• The filtered cryptogram is then converted to decimal

It was found that there were no cryptographic secrets within the device itself. This means that a software implementation was easy to achieve (a number are available).

Useability failures aid fraudsters

The different banks use varied features of the devices. This leads to confusion where a fraudster can fool a user into using the device in a way that the input is what the fraudster wants and not what the bank expects.

Nonce is small or absent

• No nonce in Barclays variant, so response stays valid
• Only a 4 digit nonce with Natwest (weak 100 guesses = 63% success rate)

Fake point of sales devices can get responses in advance.

CAP readers help muggers – CAP readers can be used to check if the PIN number is correct or not.
Supply chain infiltration – In the past chip & pin terminals with GSM modules have already been found in the wild. The control of CAP readers is significantly less controlled.

What does this mean for customers

• CAP is far better than existing UK systems
• Authentication codes are dynamic
• Authentication codes are bound to transaction

However, banks are now claiming that any transaction using this process must have been authorised by the user. This means that if you are a victim of fraud, the bank will probably deny your claims. Currently ~20% of claims are turned down.

Recent attempts to test this in court failed, with the Bank winning (Halifax). The evidence provided by the bank was simply a log file showing that the transaction was chip read (04 in the log).

HHD 1.3

Standard from ZKA, Germany

Stronger than UK CAP, but more user input required

• Many more modes
• Mode number alters meaningful prompts
• Up to 7 digit nonce
• Nonce, and mode number are included in MAC
• PIN verification

Other solutions

• Flicker TAN – Device reads information from a flickering animation (using sensors)
• USB connected readers – Require drivers, so could be an issue without Admin permissions
• Cronto PhotoTAN – Uses a 2D barcode read by a mobile phone application (uses a cryptographic key to prevent MitM)

More information can be found on the CCC wiki. Access to the slides (PDF)

• http://www.lightbluetouchpaper.org
• http://www.cronto.com/

This talk will show what can be done by taking control of the GSM RF part of a mobile phone, for example performing a DoS attack to the GSM network or using the phone as a sniffing device.

If the RF hardware of a mobile phone can be controlled, lots of things are possible, for example:

Motivation for playing with GSM

The GSM network has been in use in Germany since 1992 and hasn’t been well researched until recently. It was always the case that access to GSM equipment was restricted. Now the game has changed. Second hand GSM equipment is easily available, OpenBTS, OpenBCS, etc…. the documentation behind GSM is also now public (but is very extensive)

OpenBTS

• Hardware based on USRP
• Air Interface (Um) is a software defined radio
• Does not model classic GSM architecture, but uses a direct Um-to-SIP

OpenBCS

• Implements the Abis protocol plus MSC/MSC/HLR
• Supports the Siemens BS11 microBTS
• Supports ip.access nanoBTS
• Used to run the 26C3 network using 4 nanoBTS units

The nanoBTS is much smaller and more modern than the 10 year old Siemens BS11 unit.

Airprobe

• Passively sniff the GSM Air Interface
• Based on USRP and GNU Radio
• Analyze protocols with Wireshark

What about an “open” phone

• Project Blacksphere for Nokia DCT3 phone – No longer active ?
• TSM30, based on the TI Calypso GSM chipset – source code available on the internet
  • Can be used to sniff the air traffic
  • Could be used to perform DoS on the GSM network
• Openmoko GTA01/02: GSM modem based on TI Calypso
  • The software is open-source, but the GSM modem is still closed
• Future plans: Take a GSM RF-Transceiver and Baseband chip, connect it to a DSP/FPGA board
  • Truly open
  • Very long term

TSM30

• Spanish phone (about 6 years old)
• GSM, GPRS, WAP
• TI Calypso chipset – leaked documents can be found
• Firmware is written in C – no source code for the DSP

Sniffing the air traffic

The TSM30 provides the chance to extract digitally converted traffic, however issues of extracting the data (1 MByte per second) from the phone need to be worked out. As there is no fast data transfer this is currently an issue. Tests with 1 second of audio have been tested and work as expected.

DoS Attack

• By sending continuous RASH requests you can use up available channels on the BTS
• Makes it difficult for phones to access the cell
• Phones might switch to another cell
• Useful for specifically targeting a location, but not a general wide-spread DoS
• No 100% guarantee
• Theory known for sometime, but never demonstrated
• Even a phone without a SIM can perform the attack
• Hard to track
• Protection against the attack would require a complete rewrite of how GSM functions

One useful purpose for the attack, is performing a DoS against the cell and implement a rogue point to capture user information when phones attempt to register to another available BTS.

A demonstration of the DoS using the 25C6 conference GSM network (nanoBTS and OpenBTS)

More information can be found on the CCC wiki.

What has changed in DECT security after one year

“This talk will provide an update on the security of encrypted DECT
calls (using the DSC cipher), which can currently not be broken by
passive eavesdropping. We will also show what has been done so far to
improve DECT security and what you can do to get a secure DECT system”

GSM cellphones have a lot in common with in-house cordless telephones. The security of both devices were designed by the same group of people, with only a few years between them. They share a number of the same issues as a result.

Communication within the industry has been a lot better with DECT insecurities however, and plans are being discussed on how to make things more secure. The same cannot  be said however for GSM issues.

DECT overview

• Standard for short range portable phones
• Frequency 1,9 Ghz
• Range up to 300 meters
• invented in 1992
• more than 670,000,000 devices

Standard of security – 1 year ago

DECT uses two proprietary protocols

• DSAA: DECT Standard Authentication Algorithm
• DSC: DECT Standard cipher
• Both are OPTIONAL!

There are devices in the market the do not use authentication or encrypt.

Project deDECTed.org in 2007/8 jointly worked on disclosing DECT security

• Reversing DSAA
• Partial Reversing of DSC
• Attacks on DSAA, PRNGs and DECT itself
• Open-source sniffer for DECT PCMCIA card

This culminated in the talk at 25C3 to disclose the vulnerabilities and raise awareness. This talk invoked public interest, resulting in extensive media coverage, and the implementation of a DECT stack for Linux (Patrick McHardy). DECT vendors, BSI and other security companies started engaging with deDECTed.org. The first consumer phones with improves security appear in early 2009 (shortly after the 25C3 talk). These looked to fix some of the more serious issues. Some firmware upgradable phones were also provided with upgrades.

Open implementation of DECT

• PCMCIA Type III card now supported
• Additional support for audio codecs
• Better audio quality

New research

DSC was reverse engineered

• Similar to A5/1
• 4 LFSRs, 3 irregularly clocked
• Output combiner with 1 bit memory
• 40 Blank rounds – Largest weakness found

DSC can be accessed from the SC14421’s firmware

The level of access granted by the D_WRS state allowed for complete control and debugging of the encryption process. This meant that, like the Legic prime talk, a reverse engineering was possible without the need to look at the silicon. However, they still did, as it was fun.

A5/1 is stronger tan DSC in only one dimension –> in A5/1 there are 100 pre-cipher rounds, compared in only 40 in DSC.

This appears to be a tweak implemented by engineers to improve speed. However this 1 flaw causes serious issues with the encryption and makes it significantly weaker than A5/1. Without this change, the encryption would be significantly better than A5/1 in every way (see slides for a full breakdown)

DSC Cryptanalysis

• Imagine all the registers would be regularly clocked
• The internal state would be a linear combination of IV and key bits
• Two consecutive bits of output cut down the key space by half
• You can repeat that !
• However, LFSR’s are clocked irregularly

The use of irregular clocking makes it a lot more secure. However…

You can guess the number of clocks correctly (for 1 register, chances are 12%, for all 3 registers, the chances are 0,2%, which may seem low, but is significant). Access to 500,000 different keystreams reveals the key in 1 day on a PC  using a fast GPU. Full details of this attack will be released mid-January at a Cryptographic conference.

Using the C-Channel (A-Field) (to gather keystream data)

A-Field is ony encrypted when C-Channel data is present

The base station is responsible for updating the handset through C-Channel data. The C-Channel transports :

• Dial Strings
• Display updates
• Keys pressed on the numpad
• RSS newsfeeds

This provides lots of guessable plaintext, and can provide the 500,000 required keystreams with in 24h.

Using the B-Field (to gather keystream data)

B-Field transports voice data

• Very hard to guess, except if there is silence or the B-Field is unused
• Mute one end of the communication !

3 hours silence is enough to generate the required data.

Other Problems

• DSC key only depends on random numbers sent by the FP
• Phones create guessable B-fields
• …

Countermeasures

For the user :

• Restrict to short calls
• Avoid silence

For the manufacturer :

• change the key during the call
• Avoid guessable content in C-Channel
• Replace the algorithm

Next Generation of the DECT standard

• ETSI and the DECT forum are now working on a new standard
• deDECTed helped where possible
• Changes will be made in two stages – Short-Term fixes, Longer-Term redesign
• The new standards DSAA2, DSC2 will be openly published and use established algorithms

Where possible, firmware updates will be made available to fix some issues (such as re-keying, forced encryption, …)

A set of security requirements will be standardized in spring 2010. Phones implementing this will be certified.

More information can we found :

• http://events.ccc.de/congress/2009/Fahrplan/events/3648.en.html
• https://dedected.org
• http://www.dect.org/news.aspx?id=52 –> DECT Forum press statement

Some publications released in 2009 in regards to DECT security :

• “Security of Digital Enhanced Cordless Telecommunications” by Alexandra Mengele (PDF)
• “An efficient FPGA Implementation for an DECT Brute-Force Attack Scenario” by Kei Ogata (Article)