FAQ/What about DECT security issues on snom m3 phones?

From Snom User Wiki

Jump to: navigation, search


Some general comments related DECT security discussion

Recently some attacks on DECT security have been demonstrated by a German team. The team has been able to reverse engineer the DECT standard authentication algorithm (DSAA) and partly the DECT standard cipher (DSC). They have analyzed the properties of DSAA and the implementation in some DECT phones and they have found that under some circumstance the implemented DECT security is not as strong as originally anticipated.

The team has done the analysis and demonstrated the flaw in controlled lab environment. In real life condition we believe is very difficult to compromise DECT security. They have demonstrated attack on the DSAA in very constructed scenarios and the DSC is not fully disclosed. We believe DECT security is still reasonable strong to justify it to be used in the applications and products we have implemented using DECT technology. We do not believe DECT security means in reality has been compromised.

One of the findings of the German team was that it is possible to impersonate a DECT FP. We agree that is possible using commonly used DECT interoperability settings. For typical DECT telephony solutions, such attack would be easy for the user to detect, as the service characteristics would most likely change. This type of attack would more appear like harassment to the user rather

than compromise of privacy. We actually believe eavesdropping of the wired telephone interface would be easier and more likely. Even tapping an un-encrypted DECT communication is very difficult and requires very detailed knowledge and equipment, which has not been demonstrated by the German team.

We will further analyze the DECT security implementation in our solutions, even analyze possible improvements above the industry standard and potentially offer solutions with various customer specific tradeoffs between DECT interoperability and requirements for dedicated highly reliable and secure applications.

Please also refer to the statement from DECT Forum: http://www.dect.org/news.aspx?id=41

Regarding specific questions to security features in the SNOM M3 product

The M3 has implemented DECT authentication and encryption according to the GAP standard. The authentication of handsets is performed for each call. This means that a new encryption key is generated for each connection and encryption will be enabled for each individual conversation.

If a handset is connected to an impersonating FP that doesn’t ask for switching to encryption, the handset accepts such a connection in clear mode according the GAP standard. However, the M3 product has lot of proprietary extensions to the GAP standard, which makes it difficult to fake a M3 basestation. If connection is possible, the user will immediately notice that features or services are missing or changed from such a FP. If connected to an impersonated FP the call can not be transferred to the original M3 basestation. We can’t see how such a FP can trick a handset to operate in clear mode without the user would immediately notice it. If possible, only one individual handset conversation would be effected and not all the registered handsets.

Personal tools