DECT Sniffing Dedected

From BackTrack Linux

This article was contributed by 5M7X.

• URL : http://www.back-track.de/index.php?page=team#smtx
• Twitter: http://twitter.com/#!/5M7X
• Email : 5M7X@mail.ru

BIG FAT HAIRY WARNING: IT IS ILLEGAL TO RECORD PHONE CONVERSATIONS IN MANY COUNTRIES.
For a list of state privacy laws in the US, check http://epic.org/privacy/consumer/states.html and http://fjallfoss.fcc.gov/edocs_public/attachmatch/DOC-266204A1.pdf.

Contents 1 What is DECT? 1.1 The problem? 1.2 Tested on 2 Installing dedected 2.1 Install from repository 2.2 Install from source 3 Install some additional tools 4 Load the drivers 5 Scan for fixed parts a.k.a. fp (DECT base stations) 6 Ignore phones you don’t want to sniff (e.g. your neighbours!) 7 Record the phone call 8 Decode the call out of the datastream 9 Import the streams into audacity and listen to the calls 10 Clean up / Reload 11 DECT protocol 12 Video: Sniffing DECT phones with BackTrack 5

What is DECT?

http://en.wikipedia.org/wiki/Digital_Enhanced_Cordless_Telecommunications

The problem?

Most vendors don’t implement encryption in their devices so one can sniff it with certain hardware and software.
For a previous post on the topic, check: http://www.offensive-security.com/backtrack/sniffing-dect-phones-the-details/

Tested on

• BackTrack 5 final x86 KDE with kernel 2.6.38
• Original Dosch&Amand Type II PCMCIA Card
• SIEMENS C1 DECT Phones set up in repeater mode

NOTE: This is experimental software which is not very actively supported anymore!

Installing dedected

In order to get dedected installed on BackTrack, you have the choice between:

1. Use dedected from the BackTrack 5 repositories.
2. Compile it on your own if you want to experiment.

Install from repository

root@bt:~# apt-get update
root@bt:~# apt-get install dedected

Install from source

This stage is optional for those wanting to build the tools from source code.

root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/
root@bt:~# cd /pentest/telephony
root@bt:~# svn co https://dedected.org/svn/trunk dedected_svn
root@bt:~# cd dedected_svn/com-on-air_cs-linux/
root@bt:~# make && make -C tools

Install some additional tools

root@bt:~# apt-get -y install audacity

Load the drivers

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make node

If you did not insert your Dosch&Amand Type 2 or Type 3 or Voo:doo # PCMCIA-card do so now! Next, we load the driver:

root@bt:~# make load

Scan for fixed parts a.k.a. fp (DECT base stations)

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux/tools
root@bt:~# ./dect_cli

If you need info on the usage type "help". If you live in the U.S. switch to the US/DECT 6 band via the "band" command. Let's enable someverbosity:

verb

And start scanning for base stations:

fpscan

After scanning 2-3 times through all channels disable verbosity, and stop scanning:

verb
stop

Ignore phones you don’t want to sniff (e.g. your neighbours!)

Start a callscan

callscan

Now grab your DECT handset and make a test phonecall and wait until you see the phonecall .It is also sufficient if you just get a dialing tone. You should see something like

### found new call on 00 82 31 33 73 on channel 7 RSSI 34

stop

Name your basestation if you want:

name 00 82 31 33 73 stallowned

Dump all found phones:

dump

Ignore every other phone except yours via the following command! IMPORTANT!!!

ignore 01 30 95 13 37

Record the phone call

Start automaticially recording of every phone call it detects:

autorec

Now grab your DECT telephony handset and do a testcall. I recommend to call a “time telling serivce” that can be reached over a normal phone number. You should get something like this:

### starting autorec
### stopping DIP
### starting callscan
### trying to sync on 00 82 ab b0 29
### got sync
### dumping to dump_2011-06-11_21_37_37_RFPI_00_82_ab_b0_29.pcap
### stopping DIP

After you hung up your phonecall the dumping should stop:

Decode the call out of the datastream

Stop the autorec:

stop

Decode the audiostream out of the raw dump

root@bt:~# ./decode.sh

Import the streams into audacity and listen to the calls

Start audacity via "alt + f2" then type “audacity” and press enter. Import the fixed-part and hte portable-part .wav files from /pentest/telephony/dedected/com-on-air_cs-linux/tools via File -> Import -> Audio or simply "ctrl + shift + I" . Import the files which end in .pcap_fp.ima.g721.wav and .pcap_pp.ima.g721.wav.

Play your phone call with the play button:

Hint: if you can only hear noise your phone seems to use some encoding/encryption. You can enable the repeater mode in your telephone so it disables encryption and you can test if your setup is working properly.

Clean up / Reload

If you need to reload the drivers

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make reload

If you’re finished and want to clean up:

root@bt:~# cd /pentest/telephony/dedected/com-on-air_cs-linux
root@bt:~# make unload
root@bt:~# rm /dev/coa

DECT protocol

If you are interested in more details of the protocol you can open the .pcap file in Wireshark:

Video: Sniffing DECT phones with BackTrack 5

Sniffing DECT phones with BackTrack from smtx.