Exposing Dinosaur Phone Insecurity With Software Defined Radio

Long before everyone had a smartphone or two, the implementation of a telephone was much stranger than today. Most telephones had real, physical buttons. Even more bizarrely, these phones were connected to other phones through physical wires. Weird, right? These were called “landlines”, a technology that shuffled off this mortal coil three or four years ago.

It gets even more bizarre. some phones were wireless — just like your smartphone — but they couldn’t get a signal more than a few hundred feet away from your house for some reason. These were ‘cordless telephones’. [Corrosive] has been working on deconstructing the security behind these cordless phones for a few years now and found these cordless phones aren’t secure at all.

The phone in question for this exploit is a standard 5.8 GHz cordless phone from Vtech. Conventional wisdom says these phones are reasonably secure — at least more so than the cordless phones from the 80s and 90s — because very few people have a duplex microwave transceiver sitting around. The HackRF is just that, and it only costs $300. This was bound to happen eventually.

This is really just an exploration of the radio system inside these cordless phones. After taking a HackRF to a cordless phone, [Corrosive] found the phone technically didn’t operate in the 5.8 GHz band. Control signals, such as pairing a handset to a base station, happened at 900 MHz. Here, a simple replay attack is enough to get the handset to ring. It gets worse: simply by looking at the 5.8 GHz band with a HackRF, [Corrosive] found an FM-modulated voice channel when the handset was on. That’s right: this phone transmits your voice without any encryption whatsoever.

This isn’t the first time [Corrosive] found a complete lack of security in cordless phones. A while ago, he was exploring the DECT 6.0 standard, a European cordless phone standard for PBX and VOIP. There was no security here, either. It would be chilling if landlines existed anymore.

Continue reading “Exposing Dinosaur Phone Insecurity With Software Defined Radio”

Old-school Rotary Phone gets GSM Upgrade

Sometimes, the answer to, “Why would you bother with a project like that?” is just as simple as, “Because it’s cool.” We suspect that was the motivation behind [Dirk-Jan]’s project to make portable versions of classic rotary telephones.

On style points alone, [Dirk-Jan] scores big. The mid-1950s vintage Belgian RTT model 56 phone has wonderful lines in its Bakelite case and handset and a really cool flip-up bail to carry it around, making it a great choice for a portable. The guts of the phone were replaced with a SIM900 GSM module coupled with a PIC microcontroller and an H-bridge to drive the ringer solenoids, along with a Li-ion battery and charger to keep it totally wireless – except for the original handset cord, of course. The video after the break show the phone in action both making and receiving calls; there’s something pleasing on a very basic level about the sound of a dial tone and the gentle ringing of the bell. And it may be slow, but a rotary dial has plenty of tactile appeal too.

Rotary-to-cell conversions are a popular “just because” project, like this conversion designed to allow an angry slam-down of the handset. The orange Siemens phone in that project is nice and all, but we really favor the ’50s look for a portable.

Continue reading “Old-school Rotary Phone gets GSM Upgrade”

Rotary and cordless phones mashup

This pile of hardware marries telecommunications hardware from distinctly different generations. [Andrew D. Farquharson] wanted the retro look and operation of a rotary phone, with the convenience of a modern cordless. He combined the two technologies to achieve his goal.

The first problem was to find a way to translate the rotary inputs to something he could use. There are already a bunch of projects that use rotary hardware so he didn’t have to reinvent the wheel. He followed this guide to connecting Arduino to a rotary phone.

The next step was to interface with his cordless phone. He ditched the case and soldered rainbow ribbon cable to the entire button matrix. An opto-isolator is used to protect the Arduino while making each connection. Finally, he patched into the mechanism which monitors the cradle to see if the handset has been picked up. It sounds like his code lets you enter the number on the dial, then pick up the handset to actual transmit it through the cordless phone.