John Pettitt, jpp@software.net writes:

Whats the current thinking on the security level of 900Mhz digital spread sectrum cordless phones? Clearly it's not a basic scanner job but how much more equipment is needed to monitor one ?

The easiest way to do this is to simply buy a similar phone which has all the required signal processing hardware for that particular type of spread spectrum and modify it to receive promiscuously and not transmit while doing so, As far as I know, essentially no cordless phones use any kind of actual secure encryption of the digital bit stream, so all you have to do is ensure that your shadow phone is primed with the correct spreading sequence or hopping sequence and is tuned to the right center frequency. Typically choices for these are very limited (maybe 20 channels) and modifying the micro firmware in a phone or base unit to search all possiblities is realistic, especially with the help of an external PC as controller. The digital 900 mhz phones all use different proprietary modulation schemes, but many of them simply transmit a FSK or BPSK rf carrier digitally modulated by the output bitstream of a codec chip (CVSD or regular u-law PCM) on one of several randomly selected channels, perhaps slowly hopping from channel to channel in a fixed sequence. Even the phones that use direct sequence spreading are effectively just transmitting a fast BPSK signal modulated at the chip rate. Receivers and signal processing boxes capable of dealing with this kind of digital modulation are a standard commodity item in the spook world (made by Condor Systems and Watkins Johnson and the like) and even sometimes show up on the high tech surplus market (and are collected by some of us who collect high tech spook hardware as a hobby) - they are however very expensive compared with simply modifying a couple of real phones to do the job. The digital modulation and "spread spectrum" features of 900 mhz phones are primarily intended to allow them to share the 902-928 mhz band with all the other users (other phones, truck tracking systems short range wireless video cameras and video distribution, various industrial users, wireless LANs of several types, ham radio operators, and several other types of unlicensed uncoordinated devices radiating up to 1 watt of power) without suffering the kind of interference that has plagued the older 46/49 mhz FM type. The FCC in fact requires some level of spectrum spreading for this purpose but leaves the actual choice up to the implementor rather than establishing a standard method. Obviously only a secure form of encryption with randomly chosen and wide enough keys would really make intercepting a digital cordless phone difficult for someone determined to do so, especially if they were targeting one particular phone. I believe almost all of the manufacturers have chickened out in the face of NSA and ITAR and not even implemented toy encryption with random keys - they are simply assuming that Joe Sixpack or his 14 year old son won't be able to pick them up on a commercially available scanner and that the federal law banning sale of scanners capable of intercepting digital transmissions and converting them to analog listenable audio will keep the scanner companies from marketing such and keep customers from complaining about nosey neighbors listening to their calls. But don't assume that if someone really has some serious reason to want to intercept one they won't be able to - and it is almost certain that expensive ($5-$20K) DSP based systems capable of intercepting several common types are already for sale to the usual suspects. And finally one should not forget that unless one has an ISDN line, intercepting calls on regular analog subscriber loops (normal telephone lines) by virtually undetectable simple alligator clip class wiretaps or bugs is something that any bright 12 year old can pull off (and many do before they grow up) - so if you have something to hide you shouldn't trust the phone at all. Dave Emery die@die.com