Failure to enable an encryption option in Digital Enhanced Cordless Telecommunications (Dect) phones can allow an attacker to overhear and record calls.
This was demonstrated to SC Magazine by ProCheckUp researcher George Christopoulos. He said that rather than this being a vulnerability, the problem is that the manufacturers do not enable encryption as standard, despite users believing that it is ‘super secure'.
Christopoulos said: “We started looking at this a couple of years ago and it is easy to accomplish eavesdropping on any conversation.”
He explained that each phone has ten frequencies and its own range and a hacker will find the best frequency to ‘lock on'. A capability using a rooted booster can allow an attacker to detect the connection and listen to all calls that have been made. Christopoulos said that this attack is completely transparent to the victim.
The booster card is the PCMCIA card type 2, which is now almost impossible to find. It was produced as a booster for signal to enable phones to be used over a wider area away from the base station, but if broken an intercept code can be implanted.
Christopoulos said that the shell will show a call has been made and show the identity of the base station of the Dect phone and begin recording the call. He explained that there is no limit to the length of call that can be recorded and the auto record function will stop at the end of a call and begin once another call is made, without the attacker's intervention.
“If encryption is in place, then the same thing happens with auto record but the call will be silent when they play it back. However this is not bullet-proof, as an attacker can build a rogue base station that your handset will try to connect to,” he said. He also explained that Dect phones have no mutual authentication or certificate to their individual base stations.
He said: “Everyone should be more concerned about the dangers in the technology that we are using. You can use it, but with caution and if you are using a Dect phone, you might need to change it.”
For the experiment, which Christopoulos said began around three years ago, ProCheckUp purchased the top ten Dect phones from Amazon. He said that the ‘majority' were susceptible to attack, as they did not use encryption.