Cатсн²² (in)sесuяitу / ChrisJohnRiley

For those of you that follow my insane ramblings no a regular basis might just remember some posts I’ve made about DECT interception. As part of my ongoing interest in this area I’ve been keeping an eye on the dedected.org site and the researchers responsible for reversing parts of the DECT standard. Although not much has moved since the December 2008 software release and initial research, Ralf–Philipp Weinmann (University of Luxembourg) will be making a presentation at the upcoming EUSecWest 2009 in London (27/28 May). The talk, entitled Efficient UAK Recovery attacks against DECT”, seems to hint at possible advances to the project. The UAK (User Authentication Key) is a 128bit key used in the pairing process to Authenticate the PP (Portable Part). Although this isn’t the point we’ve all been waiting for (an attack on DECT Standard Cipher), it does represent the next step forward and could open the door to easier Man in the Middle type attacks. It could also allow attackers to connect to internal DECT systems and route calls through internal call switches. Great for free calls, social engineering, or maybe gaining access to restricted services (modems on listening on internal extensions, voicemail systems, etc..). At the moment this is all speculation however. It’s a pity I can’t be at EUSecWest (I’m already doing too many conferences this year). However I’ll be keeping an eye on the slides as soon as they’re made public.

At present the dedected.org team have released software that allows for capturing unencrypted DECT telephone calls only. This doesn’t mean that encrypted calls can’t be captured, it simply means that they cannot currently be decoded into anything that makes sense. There is the chance the previously captured encrypted calls could be attacked and decoded in the future.

That not withstanding, I doubt that the dedected.org team will be releasing anything new to decode encrypted traffic in the short term. At this stage they’ve already exposed the weaknesses in DECT, and without a solution to the issue, releasing a tool that captures and decodes encrypted traffic would only put individuals and companies using encrypted DECT in danger. That’s not to say their won’t be something in the mid to long term.

To prevent exposure, companies should start looking (if they’ve not already started) at alternative options to DECT telephones and headsets. VoIP seems like a viable alternative if it’s implemented over VPN or other secure channels. Only time will tell if this is the direction that people head however.