After researchers demonstrated at a German trade show they could listen in on some calls made over Digital Enhanced Cordless Telecommunications (DECT) networks, a Canadian analyst has advised companies not to send sensitive information over DECT networks.
“DECT really ought to be used for consumer applications and avoided by enterprises,” said Mark Tauschek, senior research analyst at Info-Tech Research Group of London, Ont. “Get rid of anything that you have that’s based on DECT.”
The DECT protocol is used in millions of cordless phones, as well as in wireless debit card readers, security doors and traffic management systems. It has encryption built in, but the protocol is kept secret. Last month, European security experts said they built a cheap laptop-based sniffer that can break into cordless phones, debit card terminals and security door mechanisms - and the same gear will also work on the next generation of DECT, known as CAT-iq.
The attack on DECT, demonstrated at the 25th Chaos Communications Congress in Berlin, used a Linux laptop with a modified laptop card. It can intercept calls and information directly, recording it in digital form. Even if encryption is switched on, the system can bypass encryption - simply by pretending to be a base station that doesn't support it.
More in Network World Canada
Though DECT was originally developed by the European Telecommunications Standards Institute, the protocol is widely used in Canada.
“I’m speaking from a DECT 6 phone,” Tauschek told Network World Canada. “It’s becoming increasingly common in Canada, and the DECT 6 standard is really really good for coverage range, and voice quality, and it’s also good for interference because it doesn’t interfere with other stuff in the 2.4 or 5 GHz spectrum”
But Tauschek added companies should not be using this wireless standard for passage of sensitive information.
“I don’t think DECT was necessarily intended to be used by the Secret Service or the CIA or that kind of thing,” he said. “I think it was really was intended more as a consumer application although it has translated into wireless (point of sale) systems and debit card and credit card readers.”
If someone spoofs an unencrypted base station and DECT devices can't get encryption to work, all the most popular phones will happily revert to unencrypted communications, said Andreas Schuler, from the Dedected group, which demonstrated the problems in Berlin. "A phone should break the connection if the encryption is rejected, but the priority from the manufacturer lies on interoperability not on security, so this is accepted to make the phones work with more (unsecure) stations.