After researchers demonstrated at a German trade show they could listen in on some calls made over Digital Enhanced Cordless Telecommunications (DECT) networks, a Canadian analyst has advised companies not to send sensitive information over DECT networks.
“DECT really ought to be used for consumer applications and avoided by enterprises,” said Mark Tauschek, senior research analyst at Info-Tech Research Group of London, Ont. “Get rid of anything that you have that’s based on DECT.”
The DECT protocol is used in millions of cordless phones, as well as in wireless debit card readers, security doors and traffic management systems. It has encryption built in, but the protocol is kept secret. Last month, European security experts said they built a cheap laptop-based sniffer that can break into cordless phones, debit card terminals and security door mechanisms – and the same gear will also work on the next generation of DECT, known as CAT-iq.
The attack on DECT, demonstrated at the 25th Chaos Communications Congress in Berlin, used a Linux laptop with a modified laptop card. It can intercept calls and information directly, recording it in digital form. Even if encryption is switched on, the system can bypass encryption – simply by pretending to be a base station that doesn’t support it.
Though DECT was originally developed by the European Telecommunications Standards Institute, the protocol is widely used in Canada.
“I’m speaking from a DECT 6 phone,” Tauschek told Network World Canada. “It’s becoming increasingly common in Canada, and the DECT 6 standard is really really good for coverage range, and voice quality, and it’s also good for interference because it doesn’t interfere with other stuff in the 2.4 or 5 GHz spectrum”
But Tauschek added companies should not be using this wireless standard for passage of sensitive information.
“I don’t think DECT was necessarily intended to be used by the Secret Service or the CIA or that kind of thing,” he said. “I think it was really was intended more as a consumer application although it has translated into wireless (point of sale) systems and debit card and credit card readers.”
If someone spoofs an unencrypted base station and DECT devices can’t get encryption to work, all the most popular phones will happily revert to unencrypted communications, said Andreas Schuler, from the Dedected group, which demonstrated the problems in Berlin. “A phone should break the connection if the encryption is rejected, but the priority from the manufacturer lies on interoperability not on security, so this is accepted to make the phones work with more (unsecure) stations.
Another Dedected member, University of Luxembourg, cryptographer Ralf-Philipp Weinmann, said it is not clear whether the same method would work on debit card reading systems, since these may enforce the use of encryption, or employ higher level encryption such as secure sockets layer (SSL).
“We haven’t been able to verify whether any POS terminals actually do reject unencrypted communications,” said Weinmann.
In any case, Tauschek said, retailers relying on wireless point of sale terminals should use a different standard, such as Wi-Fi encrypted by 802.11i, because it has stronger security features, such as Advanced Encryption Standard (AES).
DECT’s use of a secret encryption algorithm is wrong, Weinmann added.
“Both the DECT encryption algorithm (DSC) and the DECT authentication algorithm (DSAA) were unpublished and have hence not been subject to scrutiny by outside experts,” he said. “ETSI really should be using peer-reviewed algorithms, and I hope that in future standards DSC and DSAA will be replaced with published and peer-reviewed algorithms.”
As for the new version of DECT, CAT-iq, it “ merely adds new features such as wideband codecs and audio/video streaming to the existing DECT standard,” Weinmann said.
“It does not change anything security-wise. Hence our attacks apply to products implementing CAT-iq as well.”