Tagged: DECT

YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

DECT 6.0 Cordless Phone Eavesdropping {Install GR-DECT2 and Decode with HackRF SDR} or E4000 RTL SDR

Listening in to a DECT Digital Cordless Phone with a HackRF

Over on YouTube SignalsEverywhere (aka Corrosive) has uploaded a new video where he shows a demonstration of him listening in to a DECT digital cordless phone with his HackRF. 

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his video Corrosive uses gr-dect2, a GNU Radio based program that can decode unencrypted DECT signals. In the video he shows it decoding a DECT call from his cordless phone in real time.

DECT 6.0 Phone Decoded With HackRF SDR | Demonstration

re-DECTed: An RTL-SDR DECT Decoder

Over on GitHub programmer ‘znuh’ has uploaded a new RTL-SDR compatible GNURadio based tool for DECT decoding. DECT is an acronym for ‘Digital Enhanced Cordless Telecommunications’, and is the wireless standard used by modern digital cordless phones. In most countries DECT communications take place at 1880 – 1900 MHz, and in the USA at 1920 – 1930 MHz. So in order to receive these frequencies you’ll need an RTL-SDR with an E4000 chip, or some other compatible SDR that can tune this high.

It appears that the decoder is not actually able to decode audio (at least not yet or without extra work perhaps), but it can at least output the DECT packets to Wireshark for analysis. This may be of interest to those wanting to learn more about the DECT protocol.

Update: Over on the Reddit thread for this software the original poster ‘sanjuro’ has given a hint on how to (in theory) decode the audio, he writes:

In theory you only need to dump B-field data into a file and then play with g726 codec. See documentation from previous de-DECTed project http://wiki.securityweekly.com/wiki/index.php/Episode158

The re-DECTed decoder outputting packets to Wireshark.
The re-DECTed decoder outputting packets to Wireshark.