DECT cordless telephone security test-use-vulnerability warning-the black bar safety net

ID MYHACK58:62200924125
Type myhack58
Reporter 佚名
Modified 2009-08-03T00:00:00


Disclaimer: This article tests the use of the DECT phone are has himself, strongly opposed any who used to be discord, or even break the law.!

Just use the "hack DECT cordless phone" as keyword Google the following. Found this 2 articles: hack crack DECT cordless telephone security system. ( and break: digital cordless telephone unsafe vulnerable to hacking hack. (

Part of the content summary is as follows:

On 1 2 on 2 9, Berlin, Germany, held the first 2 of 5 session C3 hack communication Congress the Chaos Communication Congress conference, security expert demonstrates how easy it is to crack the DECT. Security experts use a computer with Linux operating system and wireless card of the laptop for DECT carried out the attack. For attacks on the laptop wireless network card price is 2 to 3 euros, but the network card after changes. Sniffer is able to directly intercept calls and information, and in digital form on the intercepted phone calls and information to record. Even if the user opens the encryption system, The Sniffer is also capable by itself, disguised as a does not support the encryption system of the base station while bypassing the encryption system.

But this is 2 articles in the technology specific implementation are not mentioned. Cai had the privilege in the field to listen to that large 4-digit cow wonderful speech, and to get a piece of the DECT card(Com-on-Air). These days I play DECT sniffing, will now be part of the experience issue. BTW I just got into the line there to say the wrong place, I hope that the cow promptly noted! !

The experiment required hardware is really very simple

1 with the PC slot of the notebook; 1-Com-on-Air DECT card; 1 goal DECT phone

This is the legend can be used to crack the DECT COM-ON-AIR PC Card.

OK, in further in-depth principles of the former, prior to combat. Specific cloth step are as follows:

1: detection of the DECT phone.

The detection of the DECT telephone and the detection of other wirless AP almost. Available dectshark and dect_cli this 2 for the DECT PHONE of the software to complete. It is worth mentioning that kismet-newcore is also integrated kismet_dect_plugin. Ha...can be full street sweep cordless telephone..!

Look! Soon it found my phone. Note that there is data traffic.

2: the probe and download the data.

Personal recommendation with dect_cli to complete the probe and download the data and a series of operations. Its function is similar to Aircrack, it really is a very fool.

The scan found my DECT Base Station and DECT phones.

Then wait for the target call, last download call data and stored as a pcap format file.

You can also use wireshark to open the download data to the pcap packet

The DECT data of the DUMP down after, can be used this is called a g72x and the SOX to turn it into a WAV file.

Then you can play the Oh...!