Dual Tone Multi Frequency signaling, commonly referred to as DTMF, is mainly used for phone dialing systems. But this isn’t the only use for DTMF signaling. Another common use is security access systems. In this post, I’ll be covering how to decode DTMF using MultiMon-NG. SoX will be used to record the DTMF signals generated on cell phones and keyless entry systems. I’ll be using a high gain directional microphone with a secondary microphone to cancel out background noise. SoX will also be used to process the audio to bring out the DTMF signals. Then the results will be decoded with MultiMon-NG, lets begin.
I captured a video clip that has a dialup modem connecting to a BBS. I edited the clip so I’m left with the DTMF dialup portion. I used this command for the edit.
ffmpeg -i "/home/local/Desktop/DTMF Decode/9-36.mp4" -ss 00:00:09 -t 00:00:04 -acodec pcm_s16le -ac 1 -ar 44100 "/home/local/Desktop/DTMF Decode/01_Segment.wav"
Now, I’ll demonstrate how to decode the DTMF with MultiMon-NG. If you haven’t installed MultiMon-NG, I won’t cover that in detail here. Please refer to the Github site for details, https://github.com/EliasOenal/multimon-ng. For me, these commands did the installation.
git clone https://github.com/EliasOenal/multimon-ng cd multimon-ng mkdir build cd build cmake .. make sudo make install
Now I’ll decode the DTMF sample with this command.
multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/01_Segment.wav"
It doesn’t take long for the results to appear. The number dialed is 15702340003. Just to be certain this isn’t a fluke, I’ll use SoX to reverse the audio and see if the decode can pick up the reversed number sequence.
sox "/home/local/Desktop/DTMF Decode/01_Segment.wav" "/home/local/Desktop/DTMF Decode/01_Segment_reversed.wav" reverse multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/01_Segment_reversed.wav"
It works, the numbers appear in the reverse order, 30004320751. So the next thing I would like to determine is how tolerant is the decoding to noise. To test this I’ll first generate some white noise with this command.
sox -r 44100 -n "/home/local/Desktop/DTMF Decode/02_WhiteNoise.wav" synth 5 whitenoise
Next, I’ll mix this in with the DTMF audio file using this command.
sox -m "/home/local/Desktop/DTMF Decode/01_Segment.wav" "/home/local/Desktop/DTMF Decode/02_WhiteNoise.wav" "/home/local/Desktop/DTMF Decode/03_DTMF_Noise.wav" trim 0
The results have an extremely high level of noise. Lets see if the decode can get the numbers out from it.
multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/03_DTMF_Noise.wav"
It proved to be too difficult for the decoder to get the numbers. Lets drop the white noise level down by half and try again. Here are the commands for the whole show.
sox -v 0.5 "/home/local/Desktop/DTMF Decode/02_WhiteNoise.wav" "/home/local/Desktop/DTMF Decode/02_WhiteNoise_Half.wav" sox -m "/home/local/Desktop/DTMF Decode/01_Segment.wav" "/home/local/Desktop/DTMF Decode/02_WhiteNoise_Half.wav" "/home/local/Desktop/DTMF Decode/03_DTMF_HalfNoise.wav" trim 0 multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/03_DTMF_HalfNoise.wav"
Still too much noise, so lets try with only 25% of the noise level this time.
sox -v 0.25 "/home/local/Desktop/DTMF Decode/02_WhiteNoise.wav" "/home/local/Desktop/DTMF Decode/02_WhiteNoise_Quater.wav" sox -m "/home/local/Desktop/DTMF Decode/01_Segment.wav" "/home/local/Desktop/DTMF Decode/02_WhiteNoise_Quater.wav" "/home/local/Desktop/DTMF Decode/03_DTMF_QuaterNoise.wav" trim 0 multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/03_DTMF_QuaterNoise.wav"
Bingo, we are able to decode with a 25% noise level in the background. Now lets test the limits of it, this will be some trial and error to get to that point.
When I dropped down to the last test, some of the numbers would decode. So it looks like 25 percent is our tolerable noise floor. Now for a practical applicaiton. In this test, I’ll be captureing audio from a microphone. The microphoe will be pointed at a device that is generating the DTMF signals, which is poor design from a security standpoint. I’ll then take the resulting audio and attempt to decode the numbers that were entered. Here are the commands I used to do this.
arecord -l ffmpeg -f alsa -ac 1 -ar 44100 -i hw:1,0 -t 120 "/home/local/Desktop/DTMF Decode/04_DTMF_Recorded.wav" # dialed code on keypad 1 570 234 0003 ffmpeg -i "/home/local/Desktop/DTMF Decode/04_DTMF_Recorded.wav" -ss 00:00:58 -t 00:00:18 -acodec pcm_s16le -ac 1 -ar 44100 "/home/local/Desktop/DTMF Decode/04_DTMF.wav" sox -v 3 "/home/local/Desktop/DTMF Decode/04_DTMF.wav" "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3.wav" ffmpeg -i "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3.wav" -ss 00:00:08 -t 00:00:01 -acodec pcm_s16le -ac 1 -ar 44100 "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_Noise.wav" sox "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_Noise.wav" -n noiseprof "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_Noise.prof" sox "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3.wav" "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_NoNoise.wav" noisered "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_Noise.prof" 0.025 multimon-ng -a DTMF -t wav "/home/local/Desktop/DTMF Decode/04_DTMF_Volume3_NoNoise.wav"
The first command was a device list so we select the correct input device. The next command recorded a 2 minute audio clip from the microphone we wanted. While it recorded DTMF signals were entered on a device some distance from the microphone. After the recording completed, the segment with the actual DTMF signals was extracted. The initial decode failed so a volume increase was made of the audio clip. The decode continued to get partial values, so a noise profile was created with a sample of silent background noise. This noise profile was filtered from the audio clip. Here are the results of the decode.
Enabled demodulators: DTMF DTMF: 1 DTMF: 1 DTMF: 5 DTMF: 7 DTMF: 0 DTMF: 2 DTMF: 3 DTMF: 4 DTMF: 4 DTMF: 0 DTMF: 0 DTMF: 0 DTMF: 0 DTMF: 3
You can see that there are some duplicate numbers, but the results are revealing. With some added band pass filtering, improved noise reduction, and clip duration changes the results would be highly accurate. This is why DTMF signals have absolutely no concept of security. Entering numbers that are sensitive, especially for security access, within earshot of a device can be an invitation for something bad.
In this post we covered decoding DTMF signals using MultiMon-NG. These signals are typically decoded with chips that are designed for solely for this purpose. MultiMon-NG is a multipurpose digital decoder that handles numerous digital encoding standards. I demonstrated that it can decode numbers from recorded media. I also demonstrated DTMF signaling shortcomings in regards to security.