February 17th, 2008
|ticom||10:08 pm - Cordless Phone Security: An Updated Look|
Originally published in Issue #27 of Phantasy E-Zine.
Back in the day when it was legal to listen to them, cordless phones operated on some readily accessible portions of the RF spectrum. The base unit transmitted just above the AM broadcast band. It was possible to take most AM/FM radios, tune them to the top end of the AM band, and hear cordless phones up to a mile (or more) away. We called that particular station “WSPY”. The handsets operated on 49 Mhz. The frequencies were the same used by baby monitors and those cheap FM hands-free walkie-talkies you could get from Radio Shack. You could buy one for $50 and walk around your neighborhood tuning through the five channels to hear your neighbor. Glorious days.
Monitoring cordless phones is illegal. The tests performed for this article were conducted in a laboratory environment with phones that were not connected to the public switched telecommunications network. No electronic communications were surreptitiously intercepted during the research and writing of this article. In 1986 the cellular phone industry paid off enough congressmen and senators to get a law passed called the ECPA: Electronic Communications Privacy Act. Originally cordless phones were exempt from this law as common folk weren't afforded the same protection as the cellular phone companies and their customers. At some point that changed and cordless phones were protected the same as cellular phones. The Feds made it illegal to sell police scanners that could receive cellular phone frequencies to the general public, but not cordless phones. Cordless phones share frequencies with other services and are considered Part 15 unlicensed devices. They can not cause interference to other licensed services and have to accept interference from them. Eventually cellular phone service became digital and one could not listen to them even with the old “unblocked” scanners with “full 800 MHz coverage”. What about cordless phones though? The old analog cordless phones operating on the 40 MHz channels were replaced with “digital spread spectrum” phones operating on higher frequencies: 900 MHz, 2.4 Ghz., and 5.8 Ghz. Scanners can't go up that far in frequency, and even if they could the “digital spread spectrum” signal offers you privacy. Or does it?
I was in a popular retail chain not too long ago browsing in the electronics section while my wife did her shopping. I have found many interesting applications for both stock and slightly customized off-the-shelf consumer electronics gear. Between the retail chains and Radio Shack you can still put together a powerful gear set-up for your endeavors, and that really hasn't changed in twenty years. Looking though the phones I saw a 5.8 Ghz. cordless phone for $10. That figure seems a magical amount for some reason. When the price gets down to that level, you really begin to examine it with an eye for doing some hack with it. The thing about 5.8 Ghz phones is that there currently isn't a police scanner out there that goes that high in frequency. Most scanners top out at 1.3 Ghz. and here are some high-end communications receivers that will cover the 2.4 Ghz. band. Even if it was an analog phone, it still should offer some security. Right? It seemed like a perfect project for a bored RF hacker.
It turns out the 5.8 Ghz. cordless phone feature is simply a marketing ploy. Check the FCC ID of any low-end and most mid-grade cordless phones and you will find out that they are not only good old analog FM, but also operate split-band. The handsets run on 5.8 Ghz., but the base station remains on the easily monitored 902-928 MHz band that is shared with wireless speaker systems, upgraded baby monitors, spread spectrum data communications, and ham radio operators. In fact, it turned out that the frequency of 927.500 MHz used as a national simplex channel by hams is also popular with cordless phones and baby monitors! While some manufacturer's attempt to obscure aspects of a product's operation by claiming it's a “trade secret”, you can still find the frequency band a device operates on, and in some instances find the actual frequencies of the device in the technical documentation the company submits to the FCC. Even if specific frequencies are unavailable, bringing the phone off hook and searching 902-928 MHz will quickly find you a dial tone on your receiver.
The only way to somewhat assure your cordless phone is secure from eavesdropping with common receiving equipment is to look for a phone which is advertised as “digital” or “spread spectrum”. These are the “high-end” phones, and will cost more than that $10 Wal-Mart special. The best of the bunch are the TDMA phones used with commercial PBX systems that operate in the unlicensed portion of the 1.9 Ghz. PCS band. In second place would be a phone operating in the 5.8 Ghz. band, provided it is a digital or spread spectrum phone and not an analog split-band phone. By checking the FCC ID of the phone, it is easy to find out what band(s) a particular model operates on. Most computer hobbyists will want to avoid the 2.4 Ghz. phones as they have been known to have interference issues with WiFi gear operating on the same band. This is not always the case however, especially with digital/spread-spectrum phones. I discovered an Oregon Scientific TW339 2.4 Ghz. digital phone FCCID KT5-TW339 that had no problems co-existing with an 802.11g wireless LAN. That phone was less than $20 at a local odd-lot store.
Evaluating the security of cordless phones only requires a minimum of equipment that should be standard fare in any phone phreak's kit. All one needs is a police scanner with “search” mode that covers the 902-928 MHz band. In this particular instance I used the recent hacker standby Radio Shack PRO-83 “Signal Stalker”. This model is discontinued, but newer models with the same functionality are available in the $100-$150 price range. The phone used in the test was a Uniden “5.8 Ghz.” Model #DXAI5588-2 with an FCC ID of AMWUC023. A check of the FCC ID indicated that this was a “split-band” phone with the base operating on the 902 MHz band. By placing the scanner in Signal Stalker mode and going off hook the scanner quickly acquired the frequency of the base station. Using the stock rubber duck antenna, the frequency was able to be acquired while in signal stalker mode from a maximum distance of five feet. This is more than adequate for test purposes. If the base station uses analog FM, this set-up will acquire a signal.
When cordless phones operated in the 40 MHz band, anecdotal evidence on various hobbyist forums indicated that with the right set-up, intercept ranges of up to one mile could be achieved. Just how far would a 900 MHz cordless phone base transmit? This is important from a COMSEC standpoint because the security issues become somewhat moot if the phone's signal cannot go past one's front yard. In this case, I'd put together a scanner dweeb's dream set-up and see just how far a 900 MHz, cordless phone base will transmit. With most receiving set-ups, the antenna is what makes or breaks the installation. The antenna used for the distance test was a commercial “3db gain” 800/900 MHz mobile antenna. Using this antenna, a reception distance of about 500 feet was obtained. So while the reputed “one mile range” is out of the question, a 900 MHz phone can still be intercepted from over a football field away. This is not as much of a problem in rural areas as it would be in an urban environment.
One of the advantages a good hacker has is the ability to use his or her technological skills to see beyond the marketing hype to ensure the personal privacy of themselves and their family. In this instance, it could have been erroneously inferred that this “5.8 Ghz.” cordless phone would be much less vulnerable to eavesdropping because of its advertised frequency range. The reality of the situation, confirmed by a quick and easy technical test, was that it was no more secure than phones from ten years ago. You may not mind the fact that your calls to the pizzeria and Chinese restaurant for take-out can be easily monitored. If you're like most people, your phone conversations are probably mundane and boring. Ignorance however is not bliss. While your cordless phone privacy may not be a high priority, you are aware of the vulnerability and that is what's important.
Current Location: Shadow Gallery
I, for one, enjoyed reading this. As an tinkering college kid with a couple odd hobbies, I might enjoy that sort of thing
|Date:||February 18th, 2008 05:19 pm (UTC)|| |
Glad to see people still come here. :)
I always wondered if your wifi nic could receive 2.4ghz phone signals. Possible? That'd be a scary prospect.
|Date:||February 19th, 2008 02:08 am (UTC)|| |
Certain technical experimenters have had success using the IF output of a Wavecom 2.4 Ghz. video receiver. (a/k/a VCR Rabbit).
I miss the glory days of cordless eavesdropping, but perhaps there are a few of those glory days left after all.
|Date:||August 9th, 2008 07:24 pm (UTC)|| |
How about DECT
At the stores, I am now seeing phones advertised as "DECT 6.0" which apparently operate at 1.9 GHz. They advertise it as digital but I don't know if it's entirely digital. Reading up a bit on the DECT standard, it seems like there is a level of encryption but it hard to tell how strong it is -- "DECT Standard Cipher", 35-bit initialization vector and 64-bit encryption on voice data. Who knows how it's implemented either, on consumer phones.
Makes me wonder how that privacy compares to 2.4 GHz or 5.8 GHz digital spread spectrum. Do DECT 6.0 phones use spread spectrum techniques as well? From an eavesdropping perspective, I suspect that a spread spectrum digital signal is more difficult to intercept than DECT, whose weak encryption can be easily cracked.
|Date:||September 14th, 2008 01:30 am (UTC)|| |
Definitely a good read Tom.
I'd like to talk to you if you've got a moment; about mirroring your zine on www.undergroundnews.com
Give me a hollar if you get the chance.
|Date:||September 15th, 2008 08:21 pm (UTC)|| |
Mirrors of the 'zine are always welcome.