http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-04-14 12:46:29 - dedected.org Blog : A diploma thesis written by Alexandra Mengele is now finished andavailable for download The thesis contains test results from a lot ofconsumer phones and a detailed explanation how these phones wheretested It also summarizes most of the attacks on DECT which arecurrently knownhttp://www.secuobs.com/revue/news/83029.shtmlhttp://www.secuobs.com/revue/news/83029.shtml Secuobs.com : 2009-03-10 14:56:42 - dedected.org Blog - I took some time for lengthy measurements, and did sweeps of the DCoffset in the PLL of the radio in the Type III cardsI found the DC offset way off the optimal value:DC_offset_measurementI just changed the values, reception should be around 4x betteris there a way to inline the picture in the trac bloghttp://www.secuobs.com/revue/news/69636.shtmlhttp://www.secuobs.com/revue/news/69636.shtml Secuobs.com : 2009-02-14 22:54:23 - dedected.org Blog - yesterday I wrote a disassembler for the Sitel formerly NationalSemicondictors SC144xx series of DECT chips It is based on themnemonics and opcodes from asl, which we use for assembling thefirmware insinde the linux driver for the com-on-air card's SC14421The disassembler supports* SC14400* SC14401* SC14402* SC14404* SC14405* SC14420* SC14421* SC14422* SC14424All the Sitel DIPs listed above, the only ones we know use a fixed16 bit instruction set The first 8 bits are the instruction, thesecond 8 bits are an argument, or are ignored when there's no argumentto the instruction As far as I understand the firmware size cannotexceed 512 bytes in total The simplest way that Sitel might haveextended this in the meantime in their recent DIPs is to add arelative jump instruction JUMPR But for now there is none we knowabout, and jumps can only address 256 code locations, or every secondof 512 bytesI put some initial and very incomplete documentation on the opcodes indip_opcodestxt That's pretty much all we know about the instructionset for nowMy disassembler is called dump_dip, and has another nice feature: itruns on large BLOBs This means it scans through large files lookingfor a long sequence of valid DIP opcodes When there's atleastTHRESHOLD currently #defined to 50 sequential valid DIP opcodes itdumps the disassembly to stdout This means you can run the tool on a/* , some DECT-device's firmware-update from awebsite, or even on a iso CD imageThe downside to this feature is that it also creates a lot offalse-positives on large images, when there are eg long sequences ofa single value which happens to be a DIP opcode luckily 0x00 and 0xffboth aren't valid DIP codes: But a quick look or grep will lead youto the real firmwareThe 16 bit architecture allows for two types of storage in a file"plain" and "byteswapped" dump_dip has a option "-b" for switching onbyteswapping The linux driver's firmware that you can find infirmware/*bin uses byteswapping All the windows driver an otherimages I have seen use "plain" encoding$ dump_dipdump_dip - simple disassembler for sc144xx DIP codesusage: dump_dip options options:-b byteswapexample:dump_dip /WinCD/install/* win_cd_dipasmThe result can look like this:; ----------------------------------------; firmware_0_0 offset 177660 size 556 bytes; file mxb500bin; ----------------------------------------label_00:JMP label_00 actual firmware snipped ; the above firmware is supported by the following CPUs:; sc14400; sc14401; sc14402; sc14404; sc14405; sc14420; sc14421Have fun using the tool, however we have one not being funny bigwarning for you:don't post any firmware of a commercial device or otherwisecopyrighted firmware to dedectedorg or any other location, you'dviolate their copyright, and they may take it serioushttp://www.secuobs.com/revue/news/61937.shtmlhttp://www.secuobs.com/revue/news/61937.shtml Secuobs.com : 2009-02-12 22:53:58 - dedected.org Blog - We have received about 10 phones from the community so far to build alist of phones and their security problems We have also received arequest from a bigger German computer magazine, who sponsored us about40 phones to test Also a vendor has shipped some phones to us, andhas received a report of the security of their phonesThe test results of the 40 phones sponsored by a German computermagazine will be published on March 2 in Germany in their printedmagazine A larger report containing all these results will bepublished mid March on this website The testing has mainly been doneby Alexandra Mengele as a part of her diploma thesisCurrently, we don't see a need for more phones to test However, ifyou have some interesting unusual DECT hardware, we are stillinterested in it Please contact team@dedectedorghttp://www.secuobs.com/revue/news/61397.shtmlhttp://www.secuobs.com/revue/news/61397.shtml Secuobs.com : 2009-02-10 21:38:18 - dedected.org Blog - The Kismet DECT plugin is ready for beta testingPlease follow the install and configuration directions onhttps://dedectedorg/trac/wiki/COM-ON-AIR-Kismet to get it up andrunning After having installed and loaded the client and servermodules, you should be ready to play Currently, the only way tocontrol it is via hotkeys:KEYACTIONhDisplay helpLLock channel hopping to current channelUUnlock channel hoppingFDo async FP scan defaultADo async PP scanMShow current modeiSort by RFPI ascendingISort by RFPI descendingrSort by RSSI ascendingRSort by RSSI descendingcSort by Channel ascendingCSort by Channel descendingsSort by view count ascendingSSort by view count descendingQQuitSync with selected station and dump callsMenu control will hopefully be added soonPlease TEST If you encounter a bug or miss a feature, add a ticket toour ticket system If you have general questions, send an email tomailto:kismet-dect@detectedorg -- Thankshttp://www.secuobs.com/revue/news/60498.shtmlhttp://www.secuobs.com/revue/news/60498.shtml Secuobs.com : 2009-02-10 00:16:39 - dedected.org Blog - 42 days from today we presented our DECT-related work @25c3 for thefirst time to the public Here's my perspective of a chronologicalwrapup of where we were at what time, DECT-related2006 autumn: I had gotten my hands on a DoschetAmand com-on-air card,and plugged it Knowing it won't work with the OS I live with, I gotinto hacking up pcmcia drivers and got a basic linux-driver whichexposed the 512 bytes of DIP-RAM to userspace The linux char deviceyou use today was createdI had blogged about the cardAround the same time I desoldered the flash of a DoschetAmand ISDN basestation MXB500, and read it I enhanced support in binutils for theSiemens SAB C163 controller, to analyze the flashI didn't proceed in hacking the undocumented DIP/SC14421 and put theproject on ice2007: krater independently started his work on DECT, took a radiomodule from a Binatone MD-1500, and hooked it up to an FPGAAutodidactically he learned Verilog and got all the way to propperlyreceiving DECT through a USB-hooked up Altera/ARM developer board Hefed the DECT-frames as custom ethernet frames through a loopbackdevice, and also wrote a wireshark plugin for DECT This means he hadnot only gotten into programming FPGAs but also got most of theDECT-Standard right Technically, krater was at the point where mostdedectedorg readers are today, recording DECT frames He just haddifferent hardware He used a radio salvaged from a telephone, an FPGAboard, and lots of time for new softwareend of 2007: krater found my blogpost on the com-on-air card andcontacted me we spent 24c3 virtually together from our homes, 600kmapart, in a chat and watching 24c3 live streams By the end of 2007 wewere pretty sure that the "usenet-DSC" was a fake, that the DECTsecret key is 64 bits, and that IVs are 28 bits onlyFeb 2008: Harald Welte hosts and started an internal mailing list The"Mifare-Hackers", Karsten Nohl, starbug, Nitram, Henryk join in Weassume the DECT stream cipher DSC to be found in silicon, the DECTStandard Authentication Algorithm DSAA should be found insoftware/firmware Harld Welte's private gnuradio/USRP ships tokrater Lateron it's being replaced by a CCC eV sponsoredgnuradio/USRPMarch 2008: Ralf joins the mailing listMarch 11th 2008: I analyzed the win-driver for the DoschetAmand cardsand looking for XORs I could find DSAA, there were two suspiciousXORs, but one was referring a CRC32 lookup-table, and the other oneb0 68 6f f6 7d e8 16 85 39 7c 7f de 43 f0 59 a9fb 80 32 ae 5f 25 8c f5 94 6b d8 ea 88 98 c2 29cf 3a 50 96 1c 08 95 f4 82 37 0a 56 2c ff 4f c460 a5 83 21 30 f8 f3 28 fa 93 49 34 42 78 bf fc61 c6 f1 a7 1a 53 03 4d 86 d3 04 87 7e 8f a0 b731 b3 e7 0e 2f cc 69 c3 c0 d9 c8 13 dc 8b 01 52c1 48 ef af 73 dd 5c 2e 19 91 df 22 d5 3d 0d a358 81 3e fd 62 44 24 2d b6 8d 5a 05 17 be 27 545d 9d d6 ad 6c ed 64 ce f2 72 3f d4 46 a4 10 a23b 89 97 4c 6e 74 99 e4 e3 bb ee 70 00 bd 65 200f 7a e9 9e 9b c7 b5 63 e6 aa e1 8a c5 07 06 1e5e 1d 35 38 77 14 11 e2 b9 84 18 9f 2a cb da f7a6 b2 66 7b b1 9c 6d 6a f9 fe ca c9 a8 41 bc 79db b8 67 ba ac 36 ab 92 4b d7 e5 9a 76 cd 15 1f4e 4a 57 71 1b 55 09 51 33 0c b4 8e 2b e0 d0 5b47 75 45 40 02 d1 3c ec 23 eb 0b d2 a1 90 26 12256 unique bytes This screamed for a crypto S-Box And we were rightand hit the DSAA key-exchange The S-Box was in every firmware weexaminedLateron: nomaam chimes in and together with Ralf analyzes the DSAA andcompiles it into a paper I was in close loop with Erik, Ralf andkrater to validate DSAA and hacked up a C-reference implementationMarch 21 2008: during eh2008 almost all of us meet face to face forthe first time:* Karsten Nohl* krater* mazzoo* nomaam* Ralf-Philipp Weinmann* starbugMarchetApril 2008: krater brings up a gnuradio/USRP to the point wherehis homebrew hardware was before, a commercial software defined radioand a wireshark plugin to record DECTMay 2008: Jacob Applebaum joins the mailing listJuly 2008: Ralf found a spanish patent from Alcatel, stating DSC, thestream cipher was made up of four LFSRs of 17, 19, 21 and 23 bitslength This was a very juicy detail, as Alcatel wasn't allowed tofile any patents or leak any contents on the subject, but they managedto violate atleast two clauses of the NDA in one go:6 Not to register, or attempt to register, any IPR patents or thelike rights relating to the DSC and containing all or part of theINFORMATIONand9 Not to publish a description or analysis of any aspects which maydisclose the operation of the DSC in any document that is circulated outsidethe premises of the BENEFICIARYand there's atleast 3 more clausurese we believe were violated, butwe're not lawyers we leave this to the courts, and thankfully regardAlcatel's openness :July-September 2008: we decideded to pick the com-on-air card'ssc14421 chip for reversing DSC Karsten and flylogicnet quicklyfocussed on an area in the corner of the die with shift registersMainly starbug, Karsten and myself were reverse-engineering the mainparts of DSC However it took us a 2nd and 3rd round of etchingpackages, etching or polishing down the layers and taking pictures ofeach stepOctober 2008: Gregor Molter starts implementing DSAA in an FPGA, todayKai Ogata followed up that work in his diploma thesisOctober 10th 2008: Ralf, nomaam and krater prooved the 'DECTIPUI-catching' attack A legacy FP is modified to emit a victim'sRFPI, and respond to a PP's cipher request with a cipher rejectPractically all PPs fall to the attack mainly due to holes in theDECT-Standard See also Lateron we found a number of devices that runin 'identity mode' only an fall to the simplest attack, a spoofed RFPIonlyNovember 19th 2008: Ralf finds a first weak PRNG, followed by manymore This leads to the most drastical thinkable attack againstencrypted calls: the recovery of the shared keyseconds before December 4th:commit b2185f943fd642bd46ca4e13f87d3fce374fbe69Author: Andreas Schuler Date: Wed Dec 3 23:59:21 2008 +0000WE HAVE INTERRUPTS cat /proc/interrupts :we finally were able to start really _using_ the com-on-air card underlinux, and now can handle the DIP's duty in the IRQ-handler kraterand I had a enthusiastic december, and 177 git commits followed theabove one, until the talk @ 25c3, and the first public release of thedriver and toolsDecember 11th 2008: dragorn, the author of kismet joins in, and isvery positive that any new protocol like DECT can simply be added as aplugin to his kismet-newcore kaner picks up the task, and activelymaintains the kismet DECT plugin from that point onDecember 24th 2008: for the first time Ralf and I extract audiosamples out of recorded B-Frames, and decoded them to crappy audioCrappy, as we still messed up the order of the nibbles, but the proofwas doneDecember 29th 2008: our talk @ 25c3http://www.secuobs.com/revue/news/60143.shtmlhttp://www.secuobs.com/revue/news/60143.shtml Secuobs.com : 2009-02-09 23:00:15 - dedected.org Blog - Today, the original founders of deDECTEdorg announce that they haveselected Harald Welte as official spokesman of the deDECTedorgprojectHarald has had an interest in DECT security for more than three years,and brought together some of the key people behind deDECTedorghttp://www.secuobs.com/revue/news/60117.shtmlhttp://www.secuobs.com/revue/news/60117.shtml Secuobs.com : 2009-01-26 03:35:47 - dedected.org Blog - In the blog comments i can read that there are unanswered mails onteam@dedectedorg Maybee there are mails lost cause the heavy loadof the dedectedorg website in the last days If you don't got answerin the last 3 days try it again Thanks http://www.secuobs.com/revue/news/55039.shtmlhttp://www.secuobs.com/revue/news/55039.shtml Secuobs.com : 2009-01-26 03:35:47 - dedected.org Blog - We have decided to allow anonymous users to open and comment ticktesIf you have some patches or improvements, please open a ticket Youmay also submit new howtos and documentation over the ticket systemIt is sometimes difficult to keep track of all improvements over themailing listWhen you submit source code:* Please tell us weather it is OK to put the code on dedectedorgand include it in our source tree* And tell us weather your name should be mentioned in the wikiSome people like it, some decide to stay anonymoushttp://www.secuobs.com/revue/news/55038.shtmlhttp://www.secuobs.com/revue/news/55038.shtml Secuobs.com : 2009-01-25 23:39:01 - dedected.org Blog - There have been some reports from various german tv stations, wheresome people of our team have been interviewed We would like to stresshere, that all people where the attacks have been demonstrated gave usa permission to record their phone calls, before we demonstrated theattackMost reports are about unencrypted calls only However, we think thatthere are serious security problems with some encrypted calls toolhttp://www.secuobs.com/revue/news/55029.shtmlhttp://www.secuobs.com/revue/news/55029.shtml Secuobs.com : 2009-01-25 19:04:34 - dedected.org Blog - We have updated our paper Attacks on the DECT authenticationmechanisms for the CT-RSA 2009 conference The paper covers attacks onDECT authentication We describe the DECT Standard AuthenticationAlgorithm We show that it is possible to execute an impersonationattack, if only a single side authentication is used We give adetailed description of the DSAA algorithm and show various attacks onthe block ciphers used during the authenticationhttp://www.secuobs.com/revue/news/54989.shtmlhttp://www.secuobs.com/revue/news/54989.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - Hi thereWe decided to put up a blog to announce major updates of the site andalso to link to other interesting stuff other people put up on thewebhttp://www.secuobs.com/revue/news/54848.shtmlhttp://www.secuobs.com/revue/news/54848.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - Tim Pritlove did an interview in his podcast Chaosradio Express withsome of our members, namely Andreas Schuler, Ralf-Philipp Weinmann,and me, Erik Tews, about the dedectedorg project The podcast isabout two hours in length but in german only Download it fromhttp://chaosradiocccde/cre102html I think it is a good point tostart, if you are new to DECT and need an overview what has happenedin the last monthshttp://www.secuobs.com/revue/news/54847.shtmlhttp://www.secuobs.com/revue/news/54847.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - We are going to build a database of phones and their specificpotential security weaknesses If you have some phones left, you don'tneed anymore, or you are willing to spend some money on a phone forus, please send them to:TU-DarmstadtErik Tews, S202 B209Hochschulstrasse 1064289 DarmstadtGermanyIf possible, include the manual, the charger and the base station ifthe phone was sold with a base station If you want to help us with anew phone, please contact mailto:team@dedectedorg and ask, whichphones have not yet been examined Even DECT/GAP base stations withoutphones are interesting for ushttp://www.secuobs.com/revue/news/54846.shtmlhttp://www.secuobs.com/revue/news/54846.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - there are many improvements we still can do and there's a long way togo We see a major drawback due to the fact that the type IIcom-on-air card is basically sold out Our community can't grow withno hardware available on the market Therefore we will now focus onsupporting the com-on-air type III card, there a few thousandavailable, way more than type II cards ever wereHW-wise the difference is the radio chipset, and as we heavily have totouch that code in the firmware mainly krater does that and thelinux driver what I mainly do, we will probably clean up some RFrelated driver stuff, and especially also support the frequencies forthe US variant DECT60http://www.secuobs.com/revue/news/54845.shtmlhttp://www.secuobs.com/revue/news/54845.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - We have gotten a very first statement from the DECT Forum, the motherof DECT Read their official statement The DECT forum is concerned about our reports and is currentlyinvestigating the situation We appreciate a lot that they intend towork together with us, and are determined to improve security In ourperception only the use of public open encryption can establish thisThis would imply a DECT standard which is 100% readable by the public,not 100% minus the security features, as it is todayThey stress that it is illegal to eavesdrop telephone conversationswithout authorization We fully agree in that point and discourageanyone in doing so, or even publishing those phonecallsHowever the DECT forum concludes that due to the illegality our workand software do not pose a big threat We strongly disagree Thehardware to record phonecalls can be hidden in a small handbag, andthus prosecution is impractical The cost for the attack is also verylowAlso the statement one would need "sophisticated knowledge" is notwhat we experienced from our community We didn't care so much fordocumentation so far, but most of the dedectedorg readers have gottenit right, and now even create documents to enable anyone who is notinto the subject to eavesdrop DECT in less than 30 minutesFor all the users of DECT technology who do not intend to run a publicradio station, and for all the devices we have examied so far, we onlyhave one big fat warning: "Don't use DECT" And together with theDECT forum we hope to be able to update that statement still within2009the dedectedorg teamhttp://www.secuobs.com/revue/news/54844.shtmlhttp://www.secuobs.com/revue/news/54844.shtml Secuobs.com : 2009-01-24 18:15:32 - dedected.org Blog - We want to see how we can receive other packets than phones send , sowe are interested in unusual DECT hardware If you have anything leftthat uses DECT and is not a phone , please contact us atmailto:team@dedectedorg Especically we are now interested in a repeater or embedded systemsthat uses DECT http://www.secuobs.com/revue/news/54843.shtmlhttp://www.secuobs.com/revue/news/54843.shtml http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-11-04 03:42:28 - dedected.org Blog : A new paper about DSC attacks is now available The paper contains an improved version of the original attack on DSC as well as an FPGA implementation of the attack From the abstract The DECT Standard Cipher DSC is a proprietary stream cipher used for enciphering payload of DECT transmissions such as cordless telephone calls The algorithm was kept secret, but a team of cryptologists reverse-engineered it and published a way to reduce the key space when enough known keystreams are available The attack consists of two phases At first, the keystreams are analyzed to build up an underdetermined linear equation system In the second phase, a brute-force attack is performed where the equation system limits the number of potentially valid keys In this paper, we present an improved variant of the first phase of the attack as well as an optimized FPGA implementation of the second phase, which can be used with our improved variant or with the original attack Our improvement to the first phase of the attack is able to more than double the success probability of the attack, depending of the number of available keystreams Our FPGA implementation of the second phase of the attack is currently the most cost-efficient way to execute the second phase of the attack The paper can be downloaded here http wwwcdcinformatiktu-darmstadtde e_tews FPGA-Implementation-of-an-Improved-Attack-Against-the-DECT-Standard-Cipherpdf http://www.secuobs.com/revue/news/262319.shtmlhttp://www.secuobs.com/revue/news/262319.shtml Secuobs.com : 2010-09-23 17:42:19 - dedected.org Blog - Patrick McHardy has now published is DECT Stack for the Linux Kernel The stack is available at http dectosmocomorg You can checkout the stack with git git clone git dectosmocomorg git linux-26git Also, there are some userland utilities available git clone git dectosmocomorg git asteriskgit git clone git dectosmocomorg git libdectgit git clone git dectosmocomorg git libnlgit git clone git dectosmocomorg git libpcapgit Please see the README file first http dectosmocomorg README A documentation for the API is provided here http dectosmocomorg doxygen Source http laforgegnumonksorg weblog 2010 09 23 20100923-linux_dect_stack_mchardy_lk2010 http://www.secuobs.com/revue/news/251082.shtmlhttp://www.secuobs.com/revue/news/251082.shtml Secuobs.com : 2010-07-09 03:06:01 - dedected.org Blog - Patrick McHardy will be presenting a DECT kernel stack for Linux at the Linux-Kongress 2010 in Nuernberg, Germany on September 21th to 24th Details are available at http wwwlinux-kongressorg 2010 abstractshtml 3_3_1 http://www.secuobs.com/revue/news/238932.shtmlhttp://www.secuobs.com/revue/news/238932.shtml Secuobs.com : 2010-04-04 04:55:34 - dedected.org Blog - We now finished our work on Cryptanalysis of the DECT Standard Cipher You find the final paper and a summary at DSC-Analysis In a nutshell, we are now able to recover the key on a fast PC or server within minutes to hours, if 215 or more keystreams for DSC are known http://www.secuobs.com/revue/news/208734.shtmlhttp://www.secuobs.com/revue/news/208734.shtml Secuobs.com : 2010-02-01 03:03:01 - dedected.org Blog - We finished our first analysis of the DECT Standard Cipher The results have been accepted to FSE2010 in Seoul http cistkoreaackr fse2010 In a nutshell, we could show that the key for DSC can be recovered in minutes on a PC, if a lot of keystreams are available However, to get enough keystreams, we need several hours of a conversation We informed the DECT Forum in advance, and they are currently working on a new version of the DECT standard, which will prevent our attacks and provide much more security than current DECT phones http wwwdectorg newsaspx id 52 We would like to thank everybody who worked on this very hard, and also the DECT vendors, who are currently implementing countermeasures We are interested in feedback for the paper You may send it to the authors or leave your feedback in the blog comments http://www.secuobs.com/revue/news/187152.shtmlhttp://www.secuobs.com/revue/news/187152.shtml Secuobs.com : 2010-02-01 03:03:01 - dedected.org Blog - Our slides from the 26C3 talk are now online You find the corresponding video here http mediacccde browse congress 2009 26c3-3648-en-dect_part_iihtml http://www.secuobs.com/revue/news/187151.shtmlhttp://www.secuobs.com/revue/news/187151.shtml Secuobs.com : 2009-11-17 04:24:11 - dedected.org Blog - I am currently searching for a DECT system which runs the G729 audio codec If somebody has such a system at home, please post the name of the phone base station you used in the comments section of this posting Dumps crated using dect_cli of such systems are also interesting You can send dumps to e_tews cdcinformatiktu-darmstadtde, or upload them somewhere and post the link in the comments section Also, captures with unusual audio codecs are of interest too If some of your calls are encrypted, please pair the phone again with the base station and capture this part too, and send us your pin We can use this to recover the key used Important Only submit such captures, you created and everybody has agreed that the content of the capture is public http://www.secuobs.com/revue/news/161509.shtmlhttp://www.secuobs.com/revue/news/161509.shtml