Exposing Cordless Phone Security with a HackRF
Over on YouTube user Corrosive has been uploading some videos that explore cordless phone security with a HackRF. In his first video Corrosive shows how he’s able to use a HackRF to capture and then replay the pager tones (handset finding feature) for a very cheap VTech 5.8 Gigahertz cordless phone. He uses the Universal Radio Hacker software in Windows.
In the second video corrosive shows how bad the voice security on the VTech 5.8 GHz phone can be. It turns out that while advertised as a 5.8 GHz phone and the handset does transmit at 5.8 GHz, the VTech basestation actually transmits voice in clear NFM at around 900 MHz. Cordless phones advertised as 5.8 GHz are typically considered as more secure due to their high frequency which is inaccessible to most scanner radios. In the video he also shows some of the digital pairing signals that the phone and basestation transmits.
I have a cordless digital phone which claims to operate on 1.8-1.9 ghz. I intend to check the base station frequency. Is it common for them to be insecure?
At that frequency if you were looking at a dect cordless phone.
It is completely insecure but it is digital instead of analog, it used to be that you needed a $300 device with a modified driver to listen into these calls but now you can use a relatively inexpensive SDR and some software like gr – dect2 and listen to them all the same.
Technically it supports encryption but I have never once seen a single dect phone use it.
The chances of somebody listening to your calls are slim but very possible, a good rule of thumb is that if it is wireless it is extremely vulnerable to interception.
Thanks for posting, if anyone has any questions I’d be happy to answer them.