Exposing Dinosaur Phone Insecurity With Software Defined Radio

Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.

It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.

The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.

This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.

This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.

73 thoughts on “Exposing Dinosaur Phone Insecurity With Software Defined Radio

    1. I just got rid of mine last month. Moved it to VoIP. I’m sure I’ll miss that copper reliability (911 baby), and the ability to use my fax machine. I will however NOT miss the outrageous bill which was twice my cell.

      1. For sure, it was far to expensive. Keep in mind GSM phones are just about as easy to listen into. Wireless can never be secure. Hopefully I’ll have a video on that within the year.

          1. It works until it dont. GSM can be decrypted in realtime with of the shelf parts now.
            3g 4g not so much but there will come a time when that wont be safe either. Ofcourse by that time it is most likley old tech that have been replaced with something newer and more secure.

      2. That;’s the thing though, people use VoIP but then you get a local ‘landline’ in the house and then people get the old cordless phones connected to that. So if that has no encryption.. (and DECT has encryption, but it’s optional so they often don’t use it) then you are in trouble.

    2. I’d even add that many fold just move those behind a TA of some sort, e.g. Vonage, Verizon. Or even use those supposedly dead land line phones behind a device that provides ringing voltage with Bluetooth pairing to a cell phone, so you can still have a phone in every room while your phone charges in a fixed charging station. Those go for as little as $10-15 on Amazon and often can pair with at least two mobile phones.

      1. Yes! I ran up a huge bill on my parents phone line when I was in high school. I was doing party lines with the local telephone company and 900 numbers that did conference calling and voicemail for ‘free’ I had no idea.

        Something like a $3K phone bill they made me work off. lol

        1. No… That was a chat line. “Party Lines” meant a group of homes shared a common line. Usually different ring patterns would ID who the recipient was, but anyone could listen in. I had one when I was 5 in rural Missouri.

        2. Well, not sure you know what party lines were. Here is a link to a wikipedia article, that I think what Biomed was referencing — https://en.wikipedia.org/wiki/Party_line_(telephony).

          Party lines were common in the 1950’s and they were not what you think. They were just a ‘sharing’ of a single phone line. Privacy was not an issue at all.

          I remember well, wanting to make a call only to find there was a conversation already on the line. I said hello, and that I’d like to make a call and we’d negotiate politely something like, “We’ll be done in 5 minutes, you can make your call then.” Or something like that. Or sometimes we would just hang up to try again later.

          1. Another Jim here – My parents had a party line when I was growing up in the 70’s, shared with a house a few doors up (British Telecom). If you picked up and it was in use, you just hung up and came back later. You could tell if the party line was picked up when you were on a call since there was a tell tale click. Should it be that you were pretending to be out and someone said you must’ve been home because the phone was engaged, you could just say that it was the party line. Simpler times!

      2. Those still exist in theory. At least up till a few years ago I was still working on hoot n holler lines. The modern versions run through Kentrox 4 or 6 wire bridge lifters with 600ohm terminations at the Central Office. The biggest hoot n holler I used to work on had over 170 lines and each were able to talk to each other. It was for a junkyard network in Arizona. There were many bridge interconnects to other bridges, and when there was a 60 cycle (hz) hum on one circuit they ALL heard it. Fun times those old days. 5.8Ghz pshaw, get off muh lawn!

      3. Party lines???

        That should mean only two things:

        1 – The number to phone to get directions to a field full of speakers and a big crowd in the making.
        2 – The mix of funny powders found in lost wraps after the speakers and people start disappearing.

    1. Yes it is, if you were trying to listen to both sides of someones conversation you would either need to flip back and forth. (something that could easily coded) You could also swap back and forth using the memories in the SDR# application or even just do it by hand.

      I’ve been dying to get a LimeSDR or a BladeRF x40 so that I can play around with a GSM BTS. I will be looking at building a proper faraday cage at that point. I certainly have no intention of shitting on the GSM bands, even at low power.

  1. Welcome to what those of us that had access to a scanner discovered in the 90’s. and 5ghz cordeless phones were a rich mans rarity, those did not show up until recently.

    I used to listen in on all kinds of calls in the neighborhood, it was fun for about 30 minutes. What was more fun was your first butt set and getting access to a switching station.

    1. I remember listening in to cellphones in when they were analog. Watch for peaks and then tune to one. Unfortunately I had to choose between inbound or outbound side of the conversation as I couldn’t tune to both at the same time. :/

    2. Ditto, though mine was an 80’s boom box with two SW ranges. I want to say quite a few models came with that option, but I only ever recall tuning one-half of the conversation.

    3. Didn’t a lot of US-market police scanners come with the 900mhz area of the spectrum blocked off so you couldn’t “accidentally” listen to wireless phone conversations?

      1. It’s a legal requirement that the old analog cell frequencies be blocked in receivers sold in the US. Not that it does much good, any TV made to receive the old UHF channels 70-83 could tune those frequencies (and were common back when analog cellular was a thing.

    4. I think this is partly why there’s not much security built into these things, most people didn’t have access to what you’d need in order to listen in. Much like the Sega CD having zero copy protection on the games – CD burners and media were so expensive at the time, they didn’t consider piracy an issue (And even if burners were cheap, you’d have Jimmy copying a game from Johnny down the street, not Johnny making and ISO of the game and uploading it to a Warez board or something via dialup

  2. I remember when Hackaday comments weren’t 80% shitting on post authors. If you don’t like the joke, fine, but c’mon. That being said, “Get off my lawn!”

    1. Ah, the good old days, how I miss them….

      But then I guess I’m just old fashioned. I still have a landline, and the only mobile phone I have is to test Android apps I write. Since I retired I don’t even have the mobile phone activated. As long as I can use it to call 911 if I have to I doubt I’ll ever get it activated again. :)

    2. I remember when Hackaday comments weren’t 80% ended with stupid old/dead memes that should not ever be mention again, but instead, rotted away from every individuals mind.

        1. Haha Brian, I’ll share my popcorn with you.

          Do you like melted butter or should we just stick with salt? There might be enough salt in the comments already though.

  3. Two point from the Wikipedia article that seem to conflict with Brian’s claims.

    1920 – 1930 MHz (DECT 6.0) in the United States and Canada

    The standard also provides encryption services with the DECT Standard Cipher (DSC). The encryption is fairly weak, using a 35-bit initialization vector and encrypting the voice stream with 64-bit encryption.

    While most of the DECT standard is publicly available, the part describing the DECT Standard Cipher was only available under a non-disclosure agreement to the phones’ manufacturers from ETSI.

    1. That is true, actually in the second video listed where I am demoing an interception of a DECT 6.0 telephone call I am using a US phone. The software used supports both US and EU. I would also like to mention that while there is a cipher as mentioned many manufacturers never actually used that cipher and most audio is in the clear.

    2. At least that 64 bit voice channel encryption is higher than the 56bit that came with all the early powerline ethernet thing-a-ma-bobs. Shared tansformers could give a whole new meaning to “party [credit] line”

  4. Folks, please remember HaD isn’t US-exclusive… Landlines are still going strong here. People even “treasure” their numbers ’cause some are 30+ years old, and with flat monthly rates roughly equivalent to US$15-20 that cover unrestricted landline calls to the entire country, it’s even cheaper than cellphones.

    This is pretty interesting as everyone and their mother knows cordless 900Mhz phones are insecure, but DECT 5Ghz ones are pretty widespread (and still sold) here. Even saw them on top government offices, and THAT changes this from interesting to worrisome.

  5. The guy who wrote this article needs to get his facts straight.. A LOT of businesses in the US still use these lines, all it takes is for someone to be listening and grab your ssn or credit card number while you are talking over the phone.. the person who wrote this basically insulted everyone.. We aren’t 5 we all should have basic knowledge of cord/cordless phones.. the writer shouldn’t have written this article like this they thought they could make a quick buck and make the other guy look bad…

    1. That’s the point the post was making, that this is a pretty big issue as landlines are still widespread, but nobody is paying much attention to the security holes because the tech is considered outdated – “It would be chilling if landlines existed anymore.”

      It’s just that the post takes on a sarcastic tone which a bunch of commenters have missed or are straight up pissed off about :P putting light humour in technical writing is really hit and miss on the internet.

  6. What was the encryption technology that used LP records (vinyl)? Your voice was muxed or combined with an LP of (for example) a particular obscure recording of Beethoven’s 9th, and could only be demuxed at the other end with the exact same recording. Useless today, of course, when an audio file can be located and replicated in minutes from digital sources.

    On the other hand, would a digital copy of the recording work? I think it was in “Spycatcher” by Peter Wright that he describes the technology – mux a voice recording with beethoven, demux at the other end with the exact same recording. All analogue – would digital work?

    1. You might be thinking of a system called SIGSALY that was developed in the late 1930s and used for secure HF voice communicstions between US and GB high ranjing government officials during WW-II.

      SIGSALY was pretty large – something like 40 telecom racks full of equipmemt at each end. The system PCM sampled voice and then combined the voice with random noise that had been pre-recorded on pairs of identical phonograph records. The records were a form of one time pad security, as it was intended that the noise recordings were onky to be used once then destroyed. The encoded voice was trsnsmitted on HF short wave using FSK modulation. Of course, a major limitation is that the noise recordings have to be distributed to the two end points by trusted courier before any secure conversation is possible.

      SIGSALY was a very advanced for its time and was almost certainly the first time PCM, encrpytion and FSK modulation were all used in a single integrated system.

      More informstion here: https://en.m.wikipedia.org/wiki/SIGSALY

  7. So the phones do 5.8GHz FM?
    Those might be fun objects to modify for amateur use. Nothing spells useless fun like a 5.8GHz FM repeater with milliwatts of output.
    Also, if any of you folks need a simple and cheap 5.8GHz downconverter, buy one of these 5.8GHz video receiver boards.
    Those have a 480MHz IF and that’s easily tapped even without opening the module as the SAW filters are often thruhole parts and thus the pins are available on the bottom side.
    Then just listen to the downconverted RF with RTL-SDR or for portable work with a baofeng or scanner. Same works for 2.4GHz, but I use my AR8200 for that most of the time.

  8. I’ve been using obi200 and Google Voice. Use my old touch-tone phone (like the feel of the headset). Alas, no caller-id, but no one calls my Google Number anyway except people I give the number too. I use a radio shack phone to AC adapter, so I can plug my phone anywhere there is an AC outlet. When I get home, I call forward my cell phone to the Google Voice, and enjoy a real telephone :-)

  9. The last landline phone my family had had a delightful security flaw: the wireless frequency (or presumably some harmonic of it) fell into the 88-107MHz FM broadcast radio band, so you could listen to the conversations people were having on any radio in the house. The handset had a telescopic antenna like an old fashioned car aerial so I have to assume the smaller modern ones use higher frequency and aren’t susceptible to this particular hack.

    1. Ha! It likely was an older 49MHz set with multiplied crystal and it was not properly filtered and thus one of the harmonics fell on the fm broadcast band. Did it happen to be around 98MHz?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s