This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article, explains that an intruder can only compromise the security of a DECT system by gaining access to the data exchanged between the headset and base station during initial pairing. Therefore, protecting the pairing process from unauthorized access is at the heart of a secure wireless communication system.
In Sennheiser devices, pairing is only possible when the headset is physically docked in the base station. A potential intruder therefore has no way of calculating or intercepting the pairing data wirelessly.
This, together with the added security layers provided by the standard DECT protocol, makes the overall security of Sennheiser DECT products very high. As a result, they are virtually immune to the commonly perceived threats to a wireless system, namely – passive eavesdropping, base station impersonation and fraud.
About DECT Technology1
Digital Enhanced Cordless Telecommunications (DECT™) is the European Telecommunications Standards Institute’s (ESTI) standard for short-range cordless communications, which can be adapted for voice, data and networking applications.
DECT technology has become the global standard for secure residential and business cordless phone communications. More than 110 countries have adopted the DECT system with more than 100 million new devices sold annually.
The DECT Security Chain
The DECT security chain is made up of the three main processes:
Most DECT enabled devices follow these processes. The DECT standard however, does not define exactly how pairing data should be exchanged. The sections below detail the generic DECT processes, as well as the two common pairing methods used by headset manufacturers.
The Pairing Process – The Backbone of a Wireless Communication System’s Security
An overview of Validation and Pairing
In order for a DECT headset and base station to pair, they first need to validate each other with a matching 4-digit PIN code. An automatic process known as ‘easy pairing’ is used in most DECT headsets, enabling pairing to start without the user having to manually enter a PIN code.
When validation is complete, pairing can initiate. This process is driven by an algorithm only available to DECT manufacturers, called the DECT Standard Authentication Algorithm (DSAA). The algorithm is executed simultaneously in the headset and base using the 4-digit PIN code and a random number stream. The results of the algorithm are exchanged and must match for successful pairing.
The Master Security Key – the key to keeping out DECT intruders
Another output of the DSAA algorithm is the Master Security Key (also known as the 128-bit UAK). The Master Security Key is used in all subsequent DECT security procedures. Since it could be used to compromise the security of a DECT communication system, it is critical to keep the Master Security Key protected from potential intruders.
Wireless pairing – a vulnerable area in the DECT security chain – in some DECT devices
It is a DECT requirement that the PIN code and Master Security Key are never exchanged ‘over the air’. However, some DECT devices transfer the data used to calculate the Master Security Key wirelessly. This opens up the possibility of an attacker ‘sniffing’ the pairing data, using highly sophisticated equipment. With very deep and specialized knowledge about DECT encryption, the intruder could, in theory, calculate the Master Security Key and thereby compromise the security of the system.
Protected pairing – the key to security in Sennheiser DECT devices
Sennheiser DECT devices have a very high security level, due to the process required to pair a Sennheiser headset and base station.
Rather than transferring pairing data ‘over the air’, the charging terminals are used for data communication. This means that a Sennheiser headset needs to be physically docked in a Sennheiser base, in order for the registration and security bindings to be established. This makes it virtually impossible for a third party to ‘sniff’ or intercept the pairing data from a remote location.
Since the Master Security Key is stored on the devices and never transmitted over the air, this feature provides best in class security against any kind of unauthorized access.
Conference pairing – a unique Master Security Key in each headset ensures no misuse
In Sennheiser headsets, it is possible to establish a DECT conference with up to four headsets connected to one base. In this scenario, each headset will get its own unique Master Security Key. This ensures that the Master Security Key stored in a guest headset cannot be misused later on the conference base station.
Other Security Measures in DECT Devices
Per Call Authentication
Every time a call is made, the base needs to ensure that the connected headset has been paired – and is therefore safe to communicate with. The base does this by sending a random number stream – also known as a ‘challenge’ – to the headset. The headset and base station then simultaneously run an authentication algorithm, using the random numbers and Master Security Key as input. The headset sends its ‘response’ back to the base station and if the calculation outputs match, the call can be placed. If not, the call is rejected. Another output of the “Per Call Authentication” process is the generation of a Session Encryption Key, which is further described in the “Encryption” section below.
The Per call authentication process flow:
It is the industry standard to authenticate headsets ‘over the air’ prior to each call. While this data can be ‘sniffed’ by an intruder, it is of little value without knowing the Master Security Key. In the case of Sennheiser devices, it would only be possible to retrieve the data used to calculate the Master Security Key with physical access, making it even more difficult, and virtually impossible, for intruders to attack.
Once a secure link is established between the headset and base, the units can communicate. To protect against passive eavesdropping, voice data is encrypted in both directions. A DECT standard encryption algorithm called DSC (with 64-bit encryption key) is used to encrypt voice data and call-related digital signaling. For an unauthorized user, the encrypted data would look like a meaningless stream of digital data.
The encryption process flow:
A new Session Encryption Key is produced for each call during the Per Call Authentication process (as described previously). As a result, an intruder cannot gain access to the Session Encryption Key without hacking into the pairing process. In the case of Sennheiser devices, this can only be done through a physical connection between headset and base, making the exchange of voice data extremely secure.
Security Concerns and Countermeasures
The security features described provide a very high security level against unauthorized access. The table below summarizes the main perceived threats and countermeasures.
SENNHEISER LEGAL DISCLAIMER
At Sennheiser we strive for ensuring the best security measures in our DECT products. However, we cannot be held responsible with regard to compensation for damages or expenses due to any security breaches taking place on the part of the customer by using our DECT products. The customer acknowledges that no technology provides complete security. For higher security requirements than provided by the DECT standard, additional measures must be implemented by the customer.
Nevertheless, Sennheiser Communications will be liable for damages from injury to life, body or health due to negligent breach of duty by Sennheiser Communications or damages arising from a breach caused by gross negligence or willful intent by Sennheiser Communications. Sennheiser Communications is also liable for negligent breaches of essential contractual obligations. Essential contractual obligations means obligations whose performance is a fundamental prerequisite for the proper execution of the contract and on which a contracting party may rely upon. In this case, compensation is limited to foreseeable, typical damages.
The above provisions also apply to damages caused by a legal representative or a person used to perform an obligation of Sennheiser Communications. Sennheiser Communication’s liability according to the Danish/European Product Liability Act unaffected.