At the BSides OK 2020 virtual conference Cameron Mac Millan recently presented a talk titled "It’s 2020, so why am I still able to read your pager traffic?". On this blog we have posted numerous times about privacy breaches stemming from insecure wireless pager traffic. Anyone with a radio or SDR can receive and decode pager messages, and this has been known and done since the 1980's. Cameron's talk explains how paging systems work, who are the modern users of pagers, how to capture and decode pager messages and how to best log and filter through messages. He goes on to describe a number of major pager security breaches that he's personally seen. The talk preview reads:
This talk explores why pagers remain a potential threat vector in many environments despite the technology being 40 years old. This is not a the-sky-is-falling presentation: everything from paging history to how simple it is to decode pager traffic (and the associated risks) is covered without FUD.
I enjoy poking things with sticks and turn over rocks to see what crawls out from under them. One of my interests is seeing how technologies believed to be obsolete can still pose a problem for security today, and do that from the perspective of a 20-year career in infosec. When not creating tomorrow’s problems with yesterday’s technology, I can usually be found wrenching on unusual cars.
It’s 2020, so why am I still able to read your pager traffic? - Cameron Mac Millan - BSidesOK 2020
Pagers are still typically used in many parts of the world by hospitals. It is a tried, tested and very reliable system for messaging, however most systems in the world send data out in unencrypted plain text for all to see. Anyone with a cheap scanner radio or $20 SDR and freely available software can decode every single message sent via paging from almost anywhere in a city as the signals are often extremely strong. Pagers are intended to be reserved for urgent infallible messaging, as paging is more reliable compared to mobile SMS since SMS messages do not always get through, or can be delayed by several minutes. Alternative secure communication channels such as SMS should be used for private information, however this protocol is not always followed due to the additional hassle.
The teen appears to have used either a Baofeng or RTL-SDR to receive the POCSAG pager signal available in his hometown in Western Australia. The pager signal was decoded with multimon-ng, and displayed via the PagerMon software. PagerMon creates a web page that displays pager messages in an easily readable format, and the page can be made accessible to the internet if desired. It seems that the teen is a scanner enthusiast, and did not intend to purposely leak patient data, however others found his PagerMon page and brought it to the attention of the media. His site has now been shut down, and officials have decided to shut down the pager system in favour of a double SMS system.
This is a story that repeats often all around the world. In the past we've seen whistleblowers report on patient data breaches in Vancouver, Kansas, and via an art installation in New York that continuously printed out pager messages.
Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.
Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.
Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.
In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.
Pager systems are famously known to be insecure, and due to the lack of encryption and high transmit power anyone with an RTL-SDR or other SDR can receive and decode pager messages. The users of pagers are mostly hospitals and doctors, and IT infrastructure professionals who need to be notified of server warnings and errors quickly. We have a text tutorial on decoding these messages with an RTL-SDR available here, and there are several previousposts discussing how insecure they are.
If you prefer a video tutorial, M6LME on YouTube has recently uploaded one where he explains the PDW pager decoding software, the VB-Audio 'banana' audio mixing software, and how to use SDR-Console with an RTL-SDR and the aforementioned software to receive and decode the signal.
How to Decode POCSAG & FLEX using an RTL-SDR Dongle
Over on YouTube the web show Hacker Warehouse have created a video explaining wireless pagers and how RTL-SDRs can be used to sniff them. In the video host Troy Brown starts by explaining what pagers are and how they work, and then he shows how to decode them with SDR# and PDW. We have a tutorial on this project available here too.
Later in the video he shows some examples of pager messages that he's received. He shows censored messages such as hospital patient data being transmitted in plain text, sports scores, a memo from a .gov address claiming allegations of abuse from a client, office gossip about a hookup, a message about a drunk man with a knife, a message from a Windows server with IP address and URL, a message from a computer database, and messages from banks.
In the past we've also seen an art installation in New York which used SDR to highlight the blatant breach of privacy that these pager messages can contain.
For a long time now it has been known that pager data is sent in the clear and in plain text over a strong and easily received RF signal. The signal can easily be intercepted with a standard scanner radio or more recently with an SDR such as the RTL-SDR. Software such as PDW can then be used to decode the signal into plain text. We have a tutorial on this available here.
In these more modern days of cell phones and secure text messaging very few people still use pagers. But one heavy user of pagers is the medical community who still prefer them as they are already widely implemented in hospitals and are very reliable. The lower frequencies and high transmission powers used by pager systems allows for better reception especially in areas prone to poor cellphone reception such as in big buildings like hospitals with many walls underground areas. They are also very reliable as they receive messages instantly, whereas text messages can be delayed in times of high network traffic which is obviously a problem when a doctor is needed urgently. Finally, another advantage is that most pagers only receive, so there are no local transmissions that could interfere with sensitive medical machines. A major downside however is that pager use means that a lot of very private patient data can be easily intercepted by anyone anywhere in the same city as the hospital.
Back in October artist and programmer Brannon Dorsey displayed an art installation at the Radical Networks conference in Brooklyn which he calls Holypager. The idea is to bring attention to the breach of privacy. The installation simply prints out the pager messages as they are sent in real time, accumulating patient data that any visitor can pick up and read. He doesn't mention it on his page, but in one of the photos we see a HackRF One, antenna and Raspberry Pi hiding underneath the installation which is how the pager messages are received. A simple RTL-SDR could also be used as the receiver. Brannon writes:
Holypager is an art installation that intercepts all POCSAG pager messages in the city it resides and forwards them to one (holy) pager. The installation anonymizes all messages and forwards them randomly to one of three pagers on display. Each message is also printed on a contiguous role of receipt paper amassing a large pile of captured pages for gallery goers to peruse.
Pagers use an outdated protocol that requires all messages to be broadcast unencrypted to each pager in the area. It is the role of the individual pager to filter and display only the messages intended for its specific address. The pagers below have been reprogrammed to ignore this filter and receive every message in the city in real time. Today, these devices are primarily used in hospitals to communicate highly sensitive information between doctors and hospital staff.
Given the severity of the HIPPA Privacy Act, one would assume that appropriate measures would be taken to prevent this information from being publicly accessible to the general public. This project serves as a reminder that as the complexity and proliferation of digital systems increase the cultural and technological literacy needed to understand the safe and appropriate use of these systems often do not.
Thank you to Dave for submitting information about his new pager message display software called PagerMon. PagerMon is a web browser based tool for displaying POCSAG pager messages decoded by multimon-ng. It is based around nodejs and uses a sqlite database for storing the messages. Multimon-ng is an RTL-SDR compatible digital mode decoder which can decode multiple protocols including POCSAG pagers.
PagerMon and the features and future features are listed below:
PagerMon is an API driven client/server framework for parsing and displaying pager messages from multimon-ng.
It is built around POCSAG messages, but should easily support other message types as required.
The UI is built around a Node/Express/Angular/Bootstrap stack, while the client scripts are Node scripts that receive piped input.
Capcode aliasing with colors and FontAwesome icons
API driven extensible architecture
Single user, multiple API keys
SQLite database backing
Configurable via UI
Pagination and searching
Filtering by capcode or agency
Duplicate message filtering
WebSockets support – messages are delivered to clients in near realtime
May or may not contain cute puppies
Other database support (MongoDB and DynamoDB planned)
Enhanced message filtering
Bootstrap 4 + Angular 2 support
Enhanced alias control
The GitHub readme has a getting started section which shows how to set up the server and get it running on your local machine.