After Hours

The opportunities and risks of DECT, CAT-iq

Before you install a wireless monitoring and control system, check to see if it uses DECT/CAT-iq technology. If it does, make sure you're not filling the local 1.9 GHz airwaves with information you'd rather not release to an attacker.

Use of Digital Enhanced Cordless Telecommunications (DECT) has been growing rapidly outside the United States. Since 2005 it has been gaining ground in the U.S. as well. DECT brings to wireless communication several improvements over traditional solutions. Starting with cordless phones, it has spread to credit card readers and other wireless devices used every day in businesses around the world. But there's a catch. A group of security researchers has found a serious flaw in DECT's proprietary encryption solution.

Before looking at the encryption issue and associated risk, it’s important to understand why you should care, even if you don’t currently use DECT enabled devices in your organization.

The Opportunities

Typically operating in the 1880 to 1900 MHz band, DECT “…provides a general radio access technology for wireless telecommunications,” as shown in Figure 1 (DECT Forum, 1997). In the U.S., DECT is licensed by the FCC to operate in the 1920 to 1930 MHz, or 1.9 GHz band (DECT, Wikipedia.org).

Figure 1

According to the DECT Forum, initially planned uses for DECT applications included,

  • Residential
  • PSTN access
  • Wireless PABX
  • GSM access
  • Wireless local loop
  • Cordless terminal mobility (CTM)
  • LAN access, supporting
    • Voice
    • Fax
    • Email
    • Internet

Some of the need existing in the era during which the DECT standard was created (1990’s) has been met with the rapid spread of cell phones. However, the advantages DECT brings to today's communication challenges have resulted in it finding its way into other areas, including wireless credit card readers and data transfer. So what’s the big deal? Why not just stick with the old technologies? There are several reasons in the voice realm (DECT Features, Wikipedia.org), including:

  1. DECT does not typically cause or experience interference problems when installed in areas where Wi-Fi, Bluetooth, or other wireless technologies exist
  2. A single base station can support multiple phones
  3. DECT enabled phones can place intercom calls to each other
  4. Base-to-phone range can extend up to 100 meters, depending on environment
  5. DECT devices use less power resulting in extended battery life

And DECT was expected to spread to data networks due to its ability to overcome many of Wi-Fi’s challenges (DECT for Data Networks, Wikipedia.org), including:

  • Range up to 200 meters indoors or 6 km using directional antennae outdoors
  • Dedicated spectrum
  • High interference immunity
  • Open interoperability
  • Expected data rates of 500 Kbps to 1Mbps

DECT did not quickly become a replacement for Wi-Fi, primarily due to U.S. restrictions on its use until 2005. Now, however, it is emerging as a possible option for many voice and data solutions requiring high reliability, low power consumption, and lower data transfer rates.

The DECT standard makes use of several advanced digital radio techniques to achieve efficient use of the radio spectrum; it delivers high speech quality and security with low risk of radio interference and low power technology. TDMA (Time Division Multiple Access) radio access, with its low radio interference characteristics, provides high system capacity to handle up to 100,000 users per km floor space in an office environment. DCS/DCA (Dynamic Channel Selection/Allocation) is a unique DECT capability that guarantees the best radio channels available to be used. This happens when a cordless phone is in stand-by mode, and throughout a call. This capability ensures that DECT can coexist with other DECT applications and with other systems in the same frequency, with high-quality, robust and secure communications for end-users. Other features of the DECT standard include encryption for maximum call security and optimized radio transmission for maximum battery life. Source: Wireless Technology Choices Abound for Medical Monitoring, Tim Moore, RTC, January 2005.

Solutions include manufacturing and medical devices for monitoring and control. Figure 2 (Source: Moore, RTC, 2005) depicts how DECT might be used in a health care environment.

Figure 2

Moore provides a comparison of ten candidate wireless technologies for monitoring and control systems, shown in Table 1 (Source: Moore, RTC, 2005). DECT is becoming an even bigger contender in the wireless space with its “next generation” iteration known as CAT-iq.

Table 1

DECT has stood up well as the best technology choice, based on this list of categories, until 29 December 2008. On that day, security researchers demonstrated a serious flaw in DECT’s security design.

The Risks

One of the security features of DECT is its proprietary encryption. This and other characteristics of DECT allowed proponents to tout it as a very secure technology. According to a 2007 whitepaper on DECT security,

The risk that intruders could pick up DECT signals and hack their way to critical information in telephone conversations is unfounded, due to the lack of suitable equipment to perform such an intrusion.

Even in the very unlikely scenario of DECT radio signals being picked up by a third party, it would require an enormous amount of computer power and transactions collected over a period of several months to make anything meaningful out of the signals.

Source: DECT provides high protection against unauthorized access, Jabra, 2007

That was then. At the 25th Chaos Communications Congress in Berlin, German security experts demonstrated their ability to easily and economically force unencrypted DECT communication and intercept it.

The attack on DECT, demonstrated at the 25th Chaos Communications Congress in Berlin on 29 December, used a Linux laptop with a modified €23 laptop card.

It can intercept calls and information directly, recording it in digital form. Even if encryption is switched on, the system can bypass encryption - simply by pretending to be a base station that doesn't support it.

Source: DECT Phones and POS terminals are vulnerable, Peter Judge, Techworld, 5 January 2009

The weakness found in DECT is not a bug. It is part of its design, enabling communication even if the handset and the base cannot establish an encrypted session. I called three DECT compatible phone resellers and none knew of a way to only allow encrypted sessions. So an attacker could potentially intercept any DECT traffic, voice or data, even if it contained patient or credit card information.

This is a serious flaw in an otherwise very promising technology. The DECT Forum, the driving force behind the standard, issued an ambiguous response to the December demonstration:

“The DECT Forum welcomes open discussions about how the implementations of the DECT standard can be improved”, says Erich Kamperschroer, Chairman of the DECT Forum. “Therefore we are looking forward to collaboration with researchers in order to discuss their research results and find measures how to further improve a reliable and mature technology that is used worldwide every day by millions of users.”

[…]

With the introduction of CAT-iq (Cordless Advanced Technology), the successor of DECT, the DECT Forum has demanded highest possible security protection measures as mandatory, which will be implemented into a globally applicable standard.

Source: DECT Forum Statement on DECT Wireless Technology, 13 January 2009

So before you install a wireless monitoring and control system, check to see if it uses DECT/CAT-iq technology. If it does, make sure you’re not filling the local 1.9 GHz airwaves with information you’d rather not release to an attacker. Hopefully the organizations behind the DECT Forum are working harder on a solution than the press release indicates. This technology has a lot of potential.

Tell us about your organization's use of this technology

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

3 comments
Photogenic Memory
Photogenic Memory

I have a family member with a pace-maker. The manual for the unit describes that they have to take precautions near microwaves and other electrical devices that emit high frequency energy. As much as wireless frequency technology is promising in that it's a new medium to tap into for communications; are we shooting ourselves in the foot here? How healthy can this be in the long run? I could care less about encrypted sessions. Those types of vulnerabilities can be always be patched later on. But, is the push for this healthy and safe in the long run? Questions, man? Questions?

dave-the-rave
dave-the-rave

The frequency band concerned is the 1.9GHz band, not 1.9MHz you show in the opening text.