For several years now, interested people have been doing ever more with GNU Radio and the USRP ‘software radio’ hardware from Ettus Research. The USRP is a USB hardware device that can be made to act like any radio, using the GNU Radio software to alter its behaviour. Thus, the $1000 USRP can be made to act like a GSM phone, a WiFi Router, a regular FM radio or indeed a Tetra radio.

The OpenBTS project first showcased what was possible: a DIY GSM mast that allowed you to use a regular mobile phone to make calls without using the regular legitimate GSM carriers – using just a laptop & USRP peripheral. Calls were routed through an Asterisk VOIP gateway. This project was actually tested for real at The Burning Man festival & also the 2009 Hackers At Random conference .

Once the open-source GPL’d OpenBTS was out there regular coders could look and see how everything fitted together. Of course it was only a matter of time before other GSM applications followed.

The report at The Register states that the Chaos Computer Club (CCC) of Germany will be releasing tools in the next couple of months that will allow anyone with a laptop & antenna (and presumably a USRP) to listen in on encrypted GSM calls. They plan to build a huge A5/1 Rainbow Table of pre-computed encryption hashes (which is basically a lookup table of every possible answer for an encryption key) of some 2 terabytes in size. Presumably you’ll be able to post your key online and get a result from the rainbow table, in the same way you can with Windows Login passwords right now. Of course posting such a request to the table via the internet would probably get you a black mark down at Spooks HQ – and i’m quite sure they’ll be listening!

It’s amazing to think that this year will have seen both Dect and GSM hacked to bits. All this is possible because of the USRP hardware & ever faster PCs. 3G phones however will be safe for some time to come, as it will be only the original implementations of GSM that can eventually be eavesdropped upon.

http://www.theregister.co.uk/2009/08/28/mobile_phone_snooping_plan/

Also, an article from the German Financial Times, translated to English.

This means that someone with just a Laptop, Com-On-Air wireless Dect PCMCIA card & Ubuntu Linux can now monitor all those conversations you have. Imagine how much information you could be providing for identity thieves!

If you use telephone banking or use your credit card to pay for goods over the phone, then you really should go back to using a regular wired home phone for these calls at least (or just use your proper mobile, as these are still secure).

If you’re fortunate enough to own a DECT phone that does encrypt (list), then you are still at some risk, the reason: the data-stream passing between your phone & base-station can still be recorded – but at this moment it can’t be turned into a conversation. Once more malicious hackers start to understand the current software, then eventually brute force hacks for the encrypted calls will appear – and when they do your old calls could be dusted-off & decrypted.

Worryingly, it seems that Dect is used for controlling traffic lights & some wireless credit card terminals. So these will likely become targets too.

This hack originated in Germany and their equivalent of the BBC’s Panorama have already done a piece on it. The equivalent of the UK’s OFCOM have already issued advice to Germans that they should stop telephone banking & giving out credit card numbers over cordless Dect phones.

The equipment still takes a fair bit of computer knowledge to get working, and the PCMCIA cards are only available in limited numbers – so it might not become an epidemic-level problem. The Dosch Amand Com-On-Air type II PCMCIA cards which were selling for €40 two weeks ago are now changing hands for €200+ on eBay!

Frontal21 (like BBC’s Panorama in the UK) website piece.

Video of Frontal21 episode

If you want to experiment you can buy a DECT card for your PC from www.ebay.de (that’s the German eBay). Look for vendor arc-computer2 & you could pickup a type III PCMCIA or PCI card for around €25 – you should pay €10 for UK carriage if in doubt.

Both the PCI card and type III PCMCIA card aren’t yet supported in the dect_cli software, but they soon will be. Once supported they’ll rocket in value like the type II cards already have – as these items are no longer manufactured & stock of the product is limited.

Here’s a recent screengrab from eBay.de – notice the joker selling a signed-by-the-hackers type II card for €2500.

Siemens Gigaset Dect Security – Read the press release.

If you didn’t know already, DECT is the technology used by the current generation of cordless home phones & baby monitors. So now, not only is it probably bad for you, it’s also insecure!

The researchers reverse-engineered a standard Com-On-Air PCMCIA DECT card – which is normally used in a Windows laptop to bridge/ link DECT phones to Asterisk VOIP/SIP networks – and demonstrated their Linux-based sniffer at 25C3 hackers congress.

The PCMCIA Class II card costs just €40 from www.arc-computer.de (in Germany, you can buy one via their eBay shop). You will need a PC running Linux to do anything useful with it, and really it’s just a proof-of-concept tool right now. But watch this space.

Read more about it:

http://events.ccc.de/congress/2008/Fahrplan/events/2937.en.html

http://www.theregister.co.uk/2008/12/31/dect_hack/

https://dedected.org/cgi-bin/trac.cgi