"privatizing" phones?

[Roger Williams]

>>>>> Geoffrey C Grabow <gcg at pb.net> writes:

  > The key doesn't need to be found in real time!  You can always
  > record the call and decrypt it later.  If the information deals
  > with an event in the future, you could have plenty of time to
  > crack it.
 
US 900 MHz digital cordless phones use MSK modulation on one of 40
channel pairs at 902.59-903.59 and 926.59-927.59 MHz.  Privacy is
achieved by XORing a PN sequence with the CODEC data.  The sequence
offset is determined by a 16-bit code derived from the base unit's
serial number (handset's codes are programmed when placed in the base
unit).

Simple scrambling, not any "encryption" worthy of the name.

A little experimentation with a cordless phone, a scanner with an MSK
demodulator, a sound board, and some simple code to capture serial
data on your computer's printer port would yield all of the frame
information you need, and could then be used to capture real-world
data for analysis.  

Post-processing of the captured data would yield the scrambling code
in a matter of a day or so, and then you'd have the code for that
target phone.

-- 
Roger Williams                         finger me for my PGP public key
Coelacanth Engineering        consulting & turnkey product development
Middleborough, MA           wireless * DSP-based instrumentation * ATE
tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/