DECT cordless phone security test-Application

Hi.baidu.com/kevin2600

Statement: the DECT phone number used in this test is already owned by me, and I strongly oppose anyone's use for discord or even breaking the law.


I just used "crack DECT cordless phone" as the keyword Google. these two articles were found: hackers cracked the DECT cordless phone security system. (http://news.duba.net/contents/2009-01/04/5863.html) and shock: Digital cordless phones are vulnerable to hacker attacks. (http://www.cnw.com.cn/cnw07/news/IndustryNews/htm2009/20090106_65268.shtml ).

The summary is as follows:

Security experts demonstrated how to easily crack DECT at the 25th C3 hacker Exchange Conference (Chaos Communication Congress) held in Berlin, Germany on December 29. Security experts attacked DECT using a laptop with a Linux operating system and wireless network card. The price of the wireless network card on the laptop used to launch the attack is 23 Euro, but the network card has been modified. The sniffer can directly intercept telephone and information, and record the intercepted telephone and information in numbers. Even if you enable the encryption system, the sniffer can bypass the encryption system by disguising itself as a base station that does not support the encryption system.

However, these two articles are not mentioned in the specific implementation of technology. wangcai had the honor to listen to the wonderful speeches of the four Daniel and got a piece of DECT card (Com-on-Air ). I 've been playing DECT sniffing these days, and now I am sending some of my experiences. BTW: I just mentioned something wrong. I hope you can point it out in time!


The hardware required for the experiment is really simple.

1 laptop with PC slot; 1 Com-on-Air DECT card; 1 target DECT phone

This is the legendary COM-ON-AIR PC card that can be used to crack DECT.


OK. Let's take a look at the principles first. The specific steps are as follows:

1: DECT phone detection.

The number of DECT probes is similar to that of other wirless APs. dectshark and dect_cli can be used for dect phone. it is worth mentioning that kismet-newcore also integrates kismet_dect_plugin. haha... you can scan the cordless phone in the street.



Look! Soon I will find my phone number. Pay attention to the data traffic.



2: detects and downloads data.

I personally recommend that you use dect_cli to perform a series of operations such as detecting and downloading data. Its functions are similar to Aircrack, which is really silly.

The scan found my DECT Base Station and DECT phone.


Then wait for the target call, and finally download the call data and save it as a pcap file.



You can also use wireshark to open the downloaded data pcap package.



After dumping the DECT data, convert it to a WAV file using g72x and SOX.


Then you can play the video...