YouTube Tutorial: Eavesdropping on DECT6.0 Cordless Phones with a HackRF and GR-DECT2

Back in December of last year Corrosive from his YouTube channel SignalsEverywhere showed us a demo video of him receiving unecrypted DECT digital cordless phones with his HackRF.

DECT is an acronym for 'Digital Enhanced Cordless Telecommunications', and is the wireless standard used by modern digital cordless phones as well as some digital baby monitors. In most countries DECT communications take place at 1880 - 1900 MHz, and in the USA at 1920 - 1930 MHz. Some modern cordless phones now use encryption on their DECT signal, but many older models do not, and most baby monitors do not either. However, DECT encryption is known to be weak, and can be broken with some effort.

In his latest video Corrosive shows us how to install GR-DECT2 on Linux, which is the GNU Radio based decoding software required to decode the DECT signal. He then goes on to show how the software can be used and finally provides some optimizations tips.

Tweet
Share206
Reddit
Vote
Email
206 Shares

Related posts:

  1. Listening in to a DECT Digital Cordless Phone with a HackRF
  2. Exposing Cordless Phone Security with a HackRF
  3. Tutorial on Performing a Replay Attack with a HackRF and Universal Radio Hacker
  4. Video Tutorial on Decoding FT-8 and RTTY with an SDRplay RSP1A
  5. YouTube Tutorial: Spying on Computer Monitors with TempestSDR
Subscribe
Notify of
guest

11 Comments
Inline Feedbacks
View all comments
lishinn lou
#217591

Hi there are some gnuradio blocks are missing, do yo have any update version that we can download?

0
Reply
don bentley
#253727

just use the dragon os live install . it has this program and more.

0
Reply
Matthew Montes
#191103

Hi, do you have some time for a quick phone call regarding Dect 6 ?

0
Reply
Anonymous
#138939

Is there a way to get this to work with the PlutoSDR (since it can technically tune up to the DECT frequencies and should have the bandwidth necessary for decoding)? I replaced the source block with the PlutoSDR source block, and managed to get to the part where after pressing the Play button in GNURadio, gr-dect shows the decoding window and the occupied channels, but my decoded sound is all hisses and pops.

The DECT phones I am using for the test are the Philips CD440, in intercom mode. From what I know, these should not implement encryption so decoding should work.

0
Reply
don bentley
#253728

the reason why hackrf works well for this is because the space of your sdr spectrum that it can pick up is wide enough. pluto sdr may not be wide enough ,

0
Reply
Mark
#131618

hi, and do you know something more about encrypted DECT phones ? In a text above write about DECT encryption is known to be weak, and can be broken with some effort. What that means actually, do you know practically how to do that ? Thanks in advance

0
Reply
Anonymous
#131619

Looking into that also.

0
Reply
EMM
#126129

Hi.

Are these the DECT PCMCIA you are talking about?
https://www.ebay.es/itm/Telefonica-DECT-PCMCIA-Karte-TYP-III-COM-ON-AIR-dedected-compatible/162090759805

For the listed price I’m tempted to give it a try 🙂

Refards,

EMM

0
Reply
Corrosive of SignalsEverywhere
#126628

Those work but are type 3 cards. Good luck finding a capable PC with a type 3 slot at a good price.

You want type 2

0
Reply
Not Sure
#126027

Very interesting indeed.

I went the other way, and bought a Com-on-air device (PCMCIA), so I had to buy an adapter to mount that in my PC. AND I had to run it under 32 bit image. Not cheap.

However, the performance was lacking, so I opened it, and soldered a suitable external antenna connector to improve range.

But WOW did it work well. And sorry to say its functionality looked somewhat more ‘refined’ than your demo. The downside being that it only dumped to a .wav file or something – long time since I’ve used it. But in the built-up place that is the UK – there were LOTS of unencrypted handsets to listen to, and the Com-on-air changed freq with the handsets too.

I saw that someone paid a developer to pipe that output to audio in real time, and not just dump to a file. Almost considered that too, but you know how life gets in the way…

I will try this with my ettus device, given that I saw a .grc file in your video for it.

0
Reply
Corrosive of SignalsEverywhere
#126063

The com-on-air is some NICE hardware. I agree 100% and the scanning is superb but man is it expensive.

You know you can listen in near-real time with that. I paid a developer to modify it years ago.
https://github.com/KR0SIV/dedected

Just re-compile the above into the folder over top of your existing installation.
That’ll do live playback and it’ll start on the US band.

It’s an older video but I do have a demo of the com-on-air card as well.
https://www.youtube.com/watch?v=MycM38SjHjg

oh, I see you’ve already found the software XD Yeah that was me.

I’m working to improve the dect2 software to auto-follow the handset freq. Hopefully that will go as planned.

0
Reply