From: “Dave Emery” <die@pig.die.com>
To: jpp@software.net (John Pettitt)
Message Hash: 3cca95792fca7455bb903407e0fdb7549307c18ce52691d36425bd6068421d34
Message ID: <9512210134.AA05683@pig.die.com>
Reply To: <199512202219.OAA26567@software.net>
UTC Datetime: 1995-12-21 01:35:00 UTC
Raw Date: Wed, 20 Dec 95 17:35:00 PST
From: "Dave Emery" <die@pig.die.com>
Date: Wed, 20 Dec 95 17:35:00 PST
To: jpp@software.net (John Pettitt)
Subject: Re: 900mhz digital phones - how much to trust ?
In-Reply-To: <199512202219.OAA26567@software.net>
Message-ID: <9512210134.AA05683@pig.die.com>
MIME-Version: 1.0
Content-Type: text/plain
> John Pettitt, jpp@software.net writes:
>
>
> Whats the current thinking on the security level of 900Mhz digital spread
> sectrum cordless phones? Clearly it's not a basic scanner job but how much
> more equipment is needed to monitor one ?
The easiest way to do this is to simply buy a similar phone
which has all the required signal processing hardware for that particular
type of spread spectrum and modify it to receive promiscuously and
not transmit while doing so,
As far as I know, essentially no cordless phones use any kind of
actual secure encryption of the digital bit stream, so all you have to
do is ensure that your shadow phone is primed with the correct spreading
sequence or hopping sequence and is tuned to the right center frequency.
Typically choices for these are very limited (maybe 20 channels) and
modifying the micro firmware in a phone or base unit to search all
possiblities is realistic, especially with the help of an external PC as
controller.
The digital 900 mhz phones all use different proprietary
modulation schemes, but many of them simply transmit a FSK or BPSK rf
carrier digitally modulated by the output bitstream of a codec chip
(CVSD or regular u-law PCM) on one of several randomly selected
channels, perhaps slowly hopping from channel to channel in a fixed
sequence. Even the phones that use direct sequence spreading are
effectively just transmitting a fast BPSK signal modulated at the chip
rate. Receivers and signal processing boxes capable of dealing with
this kind of digital modulation are a standard commodity item in the
spook world (made by Condor Systems and Watkins Johnson and the like)
and even sometimes show up on the high tech surplus market (and are
collected by some of us who collect high tech spook hardware as a hobby)
- they are however very expensive compared with simply modifying a
couple of real phones to do the job.
The digital modulation and "spread spectrum" features of 900 mhz
phones are primarily intended to allow them to share the 902-928 mhz
band with all the other users (other phones, truck tracking systems
short range wireless video cameras and video distribution, various
industrial users, wireless LANs of several types, ham radio operators,
and several other types of unlicensed uncoordinated devices radiating up
to 1 watt of power) without suffering the kind of interference that
has plagued the older 46/49 mhz FM type. The FCC in fact requires
some level of spectrum spreading for this purpose but leaves the
actual choice up to the implementor rather than establishing a standard
method.
Obviously only a secure form of encryption with randomly chosen
and wide enough keys would really make intercepting a digital cordless
phone difficult for someone determined to do so, especially if they were
targeting one particular phone. I believe almost all of the
manufacturers have chickened out in the face of NSA and ITAR and not
even implemented toy encryption with random keys - they are simply
assuming that Joe Sixpack or his 14 year old son won't be able to pick
them up on a commercially available scanner and that the federal law
banning sale of scanners capable of intercepting digital transmissions
and converting them to analog listenable audio will keep the scanner
companies from marketing such and keep customers from complaining about
nosey neighbors listening to their calls.
But don't assume that if someone really has some serious reason
to want to intercept one they won't be able to - and it is almost
certain that expensive ($5-$20K) DSP based systems capable of
intercepting several common types are already for sale to the usual
suspects.
And finally one should not forget that unless one has an ISDN
line, intercepting calls on regular analog subscriber loops (normal
telephone lines) by virtually undetectable simple alligator clip class
wiretaps or bugs is something that any bright 12 year old can pull off
(and many do before they grow up) - so if you have something to hide you
shouldn't trust the phone at all.
Dave Emery
die@die.com
Return to December 1995
Return to “John Pettitt <jpp@software.net>”