Re: "privatizing" phones?
At 12:26 07/28/96 +0200, Remo Pini wrote:
-----BEGIN PGP SIGNED MESSAGE-----
To: cypherpunks@toad.com Date: Sun Jul 28 12:24:57 1996
Even if they did change the frequency the call was on, it would be a simple matter to decode how the frequency change was negotiated, and "follow" the call (also easily accomplished with cellular calls). Failing that, there is a very limited range of frequencies allocated for cordless fones, and simply re-scanning for the conversation is a trivial inconvenience. //cerridwyn//
Most of those systems do also change the order of the transmitted data, and that's not limited to a few possibilities. If it's digital, they usually encrypt it (only weak, but hey, you normally have to find the key real time!)
The key doesn't need to be found in real time! You can always record the call and decrypt it later. If the information deals with an event in the future, you could have plenty of time to crack it.
G.C.G.
Geoffrey C Grabow <gcg@pb.net> writes:
The key doesn't need to be found in real time! You can always record the call and decrypt it later. If the information deals with an event in the future, you could have plenty of time to crack it.
US 900 MHz digital cordless phones use MSK modulation on one of 40 channel pairs at 902.59-903.59 and 926.59-927.59 MHz. Privacy is achieved by XORing a PN sequence with the CODEC data. The sequence offset is determined by a 16-bit code derived from the base unit's serial number (handset's codes are programmed when placed in the base unit). Simple scrambling, not any "encryption" worthy of the name. A little experimentation with a cordless phone, a scanner with an MSK demodulator, a sound board, and some simple code to capture serial data on your computer's printer port would yield all of the frame information you need, and could then be used to capture real-world data for analysis. Post-processing of the captured data would yield the scrambling code in a matter of a day or so, and then you'd have the code for that target phone. -- Roger Williams finger me for my PGP public key Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/
participants (2)
-
Geoffrey C. Grabow -
Roger Williams