Recently in Telecoms Security Category

The GSM encryption algorithm A5/1 has been known to be broken for some time now... about 10 years to be exact.  However, if you were sleeping under a rock for the last few weeks, you would have missed the news that some researchers have put the theoretical attack into practice, making it a reality for mobile phone operators.

Anyway, seems A5/3 (also known as KASUMI) may also be broken.  News circulating on the interweb talks of a 0day paper that could be published any day now.  Further fodder about it is here and here.

Originally posted to Full-disclosure by Max Moser.

If you haven't already read "Hack My Satellite" - go read it here and you'll have more a clue of what all this means.

Now this is what I'm talking about...

This is something I got into a while ago but it randomly came into my head the other day, and I thought, aaaah yes, that was cool... need to share it with people.

If you've read my Scanning and Listening to Cordless Phones article on this site then you may already be armed with a scanner.  If not, you'll need a scanner to do any activities here.

Pagers, pagers... Where do I start?  They're pretty damn old skool... no one really uses them now that the text messaging revolution has become what it is now.  However, a few places do still have uses for these - namely hospitals and automated alarm systems.

It should be no suprise that pagers operation over the radio waves, one of the reasons why I get excited (OK, well not excited, but mildly happy...) about this technology.  Again, if you have read any articles of mine then you will know that anything that travels through radio waves is bad bad in terms of confidentiality, integrity and availability.  Only with encryption can you sort the confidentiality bit out and also with a little intelligence, the integrity problem with HMACs (hashed message authentication codes), etc.  Anywayyyy... I'm going way off topic.  What I'm trying to say is... anything that I can pluck out of the sky, I like, well hopefully *we* like.

Pagers use a few different transmission formats - namely POCSAG (Post Office Code Standards Advisory Group) and FLEX - both on different baud rates; 512, 1200, 2400.  We'll ignore ACARS, MOBITEX and ERMES and the like for now as that will just confuse things.

POCSAG is pretty old skool as you might expect - the module used is FSK (frequency key shifting) with +- a 4.5 kHz shift.  The high frequency represents a 0 and you guessed it, the low frequency represents a 1.  Told you it was old skool.

In the UK, most pager transmissions occur in the three bands that are 138 MHz, 153 Mhz and 466 MHz.  In the US and elsewhere, could operate anywhere in the VHF/UHF bands!  Google is your friend!

Now, lets get to the fun bit.  How the feck do you decode these transmissions?  You need a computer, check... a sound card, check... and a scanner, check 1, check 2?  If you meet all three requirements then you're good to go!

You can do this two ways... you can go down Maplins and get yourself a double male audio cable so that you can feed in your scanner output straight into the line-in of your sound card... or, you can do it the hard way and put your microphone near your scanner speaker.

Done that?  Ok, sweet.  Now you have locked onto a frequency that somehow resembles what it would be like to listen to ET phoning home, and now that you have this goodness feeding into your computer... the next step.

We want to decode these transmissions.  As good as the human brain is, I ain't gonna fuck with you... it ain't gonna be able to decode POCSAG on the fly.  You will need to grab some free software to do this:

Multimon - Pocsag program for Linux, decodes pagers using sound card (Also handles AX.25, DTMF and ZVEI) (49k)

PDW 110f - Pocsag program for Windows, decodes pagers using sound card (Also does Flex, ACARS, MOBITEX & ERMES) (366k)

POC32 - Pocsag program for Windows, decodes pagers using sound card (402k)

I have used all programs and I have to say, each have their advantages and disadvantages.  PDW 110f I quite like.

I forgot to mention that you will have to play with the squelch and also the volume on your scanner until the decoder software recognises it as the correct type and baud rate - this takes a couple minutes of playing... but as soon as you see "POCSAG 2400" show up as a transmission is coming in then you're sorted.

Frequencies to try: 153.150, 153.225, 153.250, 153.275, 153.350, 466.075, 137.975

The messages will be plucked out of the airwaves and decoded into sexy ASCII right in front of your eyes.

Nothing much to it eh?

Please note that this IS illegal.  This technology has almost been faded out and for good reasons as you can see... security in the 80s and 90s, gotta love it eh?!

UPDATE: Found a video by some Yank that does what I just discussed, from using PDW to using a male-to-male audio plug.  View it here.

There are loads of satellites orbiting the earth as you read this; some are being used for commercial purposes, some for military, some for scientific research and some even carrying IP packets for the Internet. What I want to concentrate on is the commercial satellites, mostly due to the fact that playing with military satellites would probably result in a situation involving rubber gloves - bad times.

Here are just some of the satellites that could potentially drop into your back garden right now.

Commercial satellites are used by the likes of news corporations like the BBC/ITV, etc. to broadcast a television signal from them to you. Your satellite receiver sitting by your TV knows the frequency and the stepping that needs to be tuned into to get say BBC NEWS 24 for example and moves your satellite accordingly (if motorised). Infact, it comes with configuration files with all the frequencies of each publicly broadcasting channel/service. Notice the word "publicly" used in the last sentence. Just because your satellite box has a entry for 11.263 GHz but nothing for 11.283 GHz doesn't mean no transponder exists at this frequency. Imagine your radio, you can manually step between say 91 FM to 107 FM, to say 92.3 FM. However, your satellite box doesn't allow you to do this - it has a pre-defined list of satellites for which it will grab a list of broadcasts (channels) from, etc.

Wouldn't it be kinda cool if we could tell our satellite box to manually step between *EVERY* step and frequency to see what transponders exist there.

Why would I want to do this? Simple... Broadcasters don't just use satellites to send stuff to your house, they use them for outside broadcasts. For example, a reporter out in the field somewhere with a portable camera - somehow they need to beam that raw signal back to HQ. These same satellites are also used to send those raw feeds back - just on another frequency or on another satellite altogether. If I could lock on to this satellite's transponder at any arbitrary frequency/step that I want, then I can grab that raw feed being broadcast from the satellite's transponder.

See where I'm going with this?

Imagine a boxing match happening in Las Vegas. This is obviously going to be a pay-per-view event and say SKY Sports would be broadcasting it. Normally, you would pay SKY to watch this event... the appropriate changes would be made to your satellite box and you would then be allowed to tune into it - the feed from SKY Sports HQ to your home. Now, think about this. Where is Vegas? All the way in the United States. This signal has to get to the UK somehow... and can you think of any possible communications medium to do this? You got it... via satellite! Damn you're good. ;o) This raw feed will be sent from the US to SKY Sports HQ via a satellite. If we can find the satellite and the frequency that is transporting this raw feed to SKY HQ and if we can hack up our satellite box, then we can lock on to the raw feed and watch the fight for free.

Now you see where I'm going with this. :o)

***TO BE CONTINUED***

Recently, a whole host of sites have been appearing which allow you to trace a mobile phone, with the owner's permission of course. These sites are aimed at parents who want to be able to locate their children if they become lost, go down the pub during school lunch break, etc. These companies obviously pay a shit load of money to O2, Vodafone, Orange, etc. in order to have a 'back door' to their GSM networks in order to use triangulation from base stations to locate phones.

Anyhow, this got me thinking, with security in mind. Is it possible to abuse this? If you didn't require the owner's consent to locate their phone then that would be a pretty serious security issue, not to mention a total lack of privacy.

I was curious as to the whole logic behind the 'registration' of a mobile phone process. Obviously a parent would grab her child's phone, register on the website; add the phone, type in some sort of random PIN (or confirmation number) that was displayed/sent to confirm consent and job done. That's how things are done normally.

What I'm interested in is the random PIN (or confirmation number) - and more importantly, in what method is this sent? Is the number sent to the phone which you must reply to in a text message quoting it, or is it displayed on the website and you then write a text message quoting the number from your phone.

The way in which it is sent is of great importance, from an attack perspective.

If the random confirmation number is sent directly to the phone in the form of a text message then as an attacker, the only way I can see that number is to have the phone in front of me. That's how it should be done, as not only does this method imply you have the phone in front of you, but there is additional security added with having to reply from the phone too as confirmation (or consent).

Now, if the random confirmation number is displayed on the website after I select to 'add a phone' then this has every opportunity to be attacked. "Please text '8872N110' to 85518 from your phone to confirm you wish this phone to be added." Now, is it just me or does anyone else see the security implications of this? You may not see it straight away, but what if I had the ability of spoofing text messages? (see SMS spoofing article) Now do you see the problem?

If the confirmation number was sent via the first method (directly to the phone, which must be replied to), then there is no way as an attacker that I can see that number (or even reply) without having that phone in front of me. However, now that I have the confirmation number displayed on the website, added together with the ability to spoof text messages, it's all to play for. I can simply spoof a text message from my victim's number, input the relevant confirmation number and send to the phone tracking website's number, and bop, my victim's phone is added. The phone tracking website assumes that because the text message originated from the victim's number, and also, because it contains the random confirmation number, that they now have their consent to be tracked.

Mad stuff eh?

This was written back in 2001 when I was 17 I'm guessing. I can't quite remember. But, what I will say is this. This is *highly* illegal. I wrote this article to make people aware of this fact. Do *not* buy a cordless phone. This piece of hardware pretty much reminds me of wireless access points. Manufacturers of both cordless phones and 802.11b access points do not get any extra income from adding security features into them, so they don't bother! This is the result. If you do have a cordless phone, make sure you do not do telephone banking over it at the very least! Cordless phones, even these so called digital ones are still at risk - I don't care what the manufacturer writes on the box, they still are. Buy an old school phone with a cable, or use your mobile for anything you don't want to be sharing with the whole world. Again, I cannot stress how illegal it is if you listen to a cordless phone. Do *not* do it. I do not listen to cordless phones. As always, I carry out these tests in my own little lab - I have a few cordless phones laying about therefore I can experiment. This article is to raise awareness into the average household user. It does not exist for incitement of any kind. That is not it's purpose. Anyways, enough of my ranting, on with the show.

---

Cordless phones... great ain't they? They allow us to talk while walking around the house, laying in bed, soaking up the sun in the garden, etc. We don't have to sit in a restricted area around the phone, with that annoying lead that always (and I mean always...) gets tangled up. However, they also allow us to broadcast all our telephone calls to all the nice noisey neighbours up the street, in the area, and beyond.

Yes, not so great...

It is a well known fact that many radio systems are moving over to secure digital communications - the Police, Fire Services and many other government users are gradually disappearing from our scanners with virtually no known way of being able to decode the transmissions. The same would be true of cordless telephone technology, with the release of DECT digital phones in the past few years and the benefits of using this technology you would expect analogue usage to be on the decline.

Not so! In fact, more than ever the analogue cordless phone band is crammed full of users! Why would this be happening? Let's take a look at a few possibilities.

The first reason is cost. DECT telephones are quite a lot more expensive than analogue equivalents and as such many people, unaware of the differences, for example security, go for a cheaper model as it 'does just the same job'. I saw some cordless phones in a shop during a January sale, they were priced at £19.99 which is an absolute give-away price. Is it any wonder they sold?

The other reason for the popularity of analogue is the release of a whole batch of relatively new frequencies in the 31 MHz region (introduced 1996) - these devices promise a greater range than the standard 47 MHz analogue band (the original 8 channel specification here in the UK known as CT1). The analogue phone system works by operating on two frequencies known as full-duplex operation. This means that the device is capable of transmitting and receiving at the same time, as you would expect! The base uses one frequency for TX and the other for RX and vice-versa at the handheld end of things.

Ranges quoted in the specifications of cordless phones usually state something like 50 metres from the base for the 47 MHz variety and anything up to 300 metres in open air from a 31 MHz base station. In total there are 16 standard analogue channels within the UK cordless phone system. The main difference between the two systems is that the original 47 MHz variety of base stations transmit to the handheld on a very low frequency just above the medium wave broadcast band. Take a look at the table below: All channels operate on NBFM.

CT1 - 31 MHz System
Channel 1: 31.0375 MHz (base) | 39.9375 MHz (mobile)
Channel 2: 31.0625 MHz (base) | 39.9625 MHz (mobile)
Channel 3: 31.0875 MHz (base) | 39.9875 MHz (mobile)
Channel 4: 31.1125 MHz (base) | 40.0125 MHz (mobile)
Channel 5: 31.1375 MHz (base) | 40.0375 MHz (mobile)
Channel 6: 31.1625 MHz (base) | 40.0625 MHz (mobile)
Channel 7: 31.1875 MHz (base) | 40.0875 MHz (mobile)
Channel 8: 31.2125 MHz (base) | 40.1125 MHz (mobile)

CT1 - 47 MHz System
Channel 1: 1642.00 kHz (base) | 47.45625 MHz (mobile)
Channel 2: 1662.00 kHz (base) | 47.46875 MHz (mobile)
Channel 3: 1682.00 kHz (base) | 47.48125 MHz (mobile)
Channel 4: 1702.00 kHz (base) | 47.49375 MHz (mobile)
Channel 5: 1722.00 kHz (base) | 47.50625 MHz (mobile)
Channel 6: 1742.00 kHz (base) | 47.51875 MHz (mobile)
Channel 7: 1762.00 kHz (base) | 47.53125 MHz (mobile)
Channel 8: 1782.00 kHz (base) | 47.54375 MHz (mobile)

There is also another less heard of system in the UK which is a variant of the above CT1 system but designed for long range communications up to 2 km with extra power primarily designed for use in rural areas.

CT1 - Extended Range
Channel 1: 47.43125 MHz (base) | 77.5125 MHz (mobile)
Channel 2: 47.41875 MHz (base) | 77.5500 MHz (mobile)

Monitoring these frequencies with a scanner will provide surprising results. Not only will you be able to hear phones around your immediate area - eg. your own analogue cordless phone but also many others in your neighbourhood because the signals carry much further than the average phone owner would imagine.

The actual handsets and bases supplied with most phones are quite insensitive to low signals, most likely this is the manufacturer's intention to keep the range down to avoid possible interference problems with neighbouring telephones. However, with a sensitive scanning receiver and antenna system some of these phone can be picked up over distances of 1.5 km and above! Of course, this depends on a number of factors, these being the site the base station is installed in. If a user installs a base station on high ground (eg. upstairs in a house) then the signal will be carried further. I recommend monitoring the base station frequencies because you can hear these much clearer than the held held, they appear to be louder usually and from experience I know that some users don't extend the telescopic antenna when they answer the call, therefore the signals from these are weak. Normally there is sufficient 'cross talk' to hear both sides of a conversation when monitoring the base.

If you have access to a HF receiver, try tuning just above the medium wave broadcast band to monitor telephones around the 1.6 MHz region. These base stations carry a long way on medium wave and sometimes can even be received on a domestic MW radio if it will tune up high enough. I always thought this was a bad choice of frequency for a telephone service since it was accessible to quite a number of people! Be aware when monitoring this range, it is highly likely that you will pick up several base stations in use on the same frequency and as a result you will hear much interference as one base station swamps the other with a strong signal. I have monitored times when you hear one conversation only to be wiped out by another stronger signal straight over the top!

Another surprising finding is to go mobile with a scanner tuned to these frequencies (be it cordless phone driving, or even, gasp the thought... walking!). You will hear many frequencies in use and you will marvel at the range of these telephones. That's about everything you need to know to get started monitoring cordless phones but please note that it is actually illegal to monitor these frequencies in the UK. The information provided in this article is for information purposes only so don't get yourself into trouble!

For further information regarding cordless telephone regulations in the UK read the RA Fact Sheet RA193.