On this weeks Frugal Radio YouTube video, Rob explores how to decode Fire, Ambulance and Hospital pager data using SDR++ and PDW. In the video Rob first explains what applications pagers are used for in 2021 and how they're typically received with pager or MDT hardware terminals mounted in fire and ambulance trucks.
He then goes on to show how we can receive and decode these pager messages using an RTL-SDR, SDR++, VB-Cable and the PDW pager decoder. The tutorial shows how to set up SDR++ settings for pager reception, how to install and setup PDW and how to interface the two programs with VB-Cable. Finally Rob explains how to fully understand some of the messages that you might receive.
Decoding Fire & Ambulance MDT data & hospital pages with a $10 SDR Radio
A few weeks ago we posted about "LikWidChz"'s work on using GNU Radio to channelize multiple NRSC-5 HD-Radio transmissions for simultaneous decoding with GNU Radio and an RTL-SDR. He has now also submitted a way to channelize pager traffic. He writes:
Quite a while ago I wanted to decode pager traffic, specifically Flex. When I started doing some basic poking around I figured out that there were multiple pager transmissions going on at once. Thinking about GnuRadio and its ability to chop up signal.. I was curious if anyone tried to decode them all at once.. I didn't get a whole lot of answers on the subject and It didn't seem like people used GnuRadio to pass MultiMonNG data.. I had my work cut out for me.
In my area all of the flex transmissions were between 928Mhz and 932Mhz and quite strong... You don't need much of an antenna to RX these transmissions. A simple wire of appropriate length will do nicely.
My plan was to design a graph and tune into the center of the range I was interested in and somehow channelize it. The remaining steps are required to format the data to allow MultiMonNG to process that audio stream. This is done a couple times depending on how many you want to decode in parallel. Have fun!
This this zip file we have uploaded his GRC file, and his full PDF description of the flowgraph. Again we note that to get in touch with the author you can log on #gnuradio and ##rtlsdr on freenode IRC and fine him under the nickname "LikWidChz".
Over on YouTube user HackedExistence has uploaded a video explaining how POCSAG pager signals work, and he also shows some experiments that he's been performing with his HackRF PortaPack and an old pager.
The Portapack is an add on for the HackRF SDR that allows the HackRF to be used without the need for a PC. If you're interested in the past we reviewed the PortaPack with the Havok Firmware, which enables many TX features such as POCSAG transmissions.
POCSAG is a common RF protocol used by pagers. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data  into the air for anyone with a radio and computer to decode.
In the video HackedExistence first shows that he can easily transmit to his pager with the HackRF PortaPack and view the signals on the spectrum with an RTL-SDR. Later in the video he explains the different types of pager signals that you might encounter on the spectrum, and goes on to dissect and explain how the POCSAG protocol works.
Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.
Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.
It has been a known open secret that for years many hospitals have been transmitting sensitive patient data over the air completely unencrypted via their pager network. With a simple ultra cheap radio such as an RTL-SDR, or any other cheap radio scanner such as a Baofeng, it is possible to eavesdrop on this sensitive data with very little technical knowledge required. Hospitals appear to be reluctant to upgrade their systems despite clearly being in violation of HIPAA privacy regulations in the USA.
Recently, @WatcherData has been trying to bring attention to this ongoing security breach in his home state of Kansas, and last month was able to get a news article about the problem published in the Kansas City Star newspaper. Over on Twitter he's also been actively documenting breaches that he's found by using an RTL-SDR to receive the pager messages.
Interestingly, publicity generated by @WatcherData's newspaper article has brought forward a hostile response from the hospital in question. Over on Reddit /r/legaladvice, a forum where anyone can ask legal advice questions, @watcherdata posted the following:
I discovered some time ago that hospitals throughout my region of the US are sending messages to physician pagers that include the name, age, sex, diagnosis, room number, and attending physician. These can be seen by anyone with a simple RTL SDR device, and a couple of free programs.
This seems like a massive HIPAA violation. So I contacted the main hospital sending out most of the information, and they were extremely grateful. I got a call within a day from a high level chairman, he explained their steps to remediate, that their auditors and penetration testers missed it, and that they would have it fixed within a week. Sure enough, they started using a patient number and no identifiable information in the pages. A couple of other hospitals have fixed their systems too, after I started contacting them via Twitter.
Early on in this process, I contacted my local newspaper. They reached out to the hospital in question, and were met with a "very hostile" response. They immediately deflected from any HIPAA violations and explained that I (the source) am in violation of the Electronic Communications Privacy Act of 1986.
This was enough to scare me off completely. I've nuked all log files from my systems and stopped collecting data. The reporters want to know how I would like to proceed. Originally, I was going to get full credit for the find in their article. But now, I at least need to be anonymous, and am thinking about asking them not to run the story at all.
Among the replies there doesn't seem to be consensus on whether simply receiving pager messages in the USA is legal or not.
In the past we've seen similar attempts to bring attention to these privacy breaches, such as an art installation in New York called Holypager, which simply continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.
Over on YouTube Jack Riley has created a video that documents his system which uses an RTL-SDR to receive POCSAG pager messages and forward messages sent to specific pager addresses to an email address. He uses his RTL-SDR on a Raspberry Pi, together with rtl_fm and multimon-ng to receive and decode the pager messages.
Then using a custom program that is available on his website he filters messages for a particular 'capcode' which indicates the address of a particular pager. When a pager message to the specified capcode address is received, the program turns the message into an email which is instantly sent out.
This is a nice way to forward pager messages on to a more modern device such as a smart phone.
Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.
A few days ago the Chaos Communications Congress (a technology and hacking focused conference) commenced. Among the talks there was one about reverse engineering the Iridium satellite paging system using software defined radio. Iridium satellites provide global communications via special satellite phones, pagers and other transceivers.
In the talk the speaker shows how they used a USRP radio together with a cheap active iridium antenna, a bandpass filter and an LNA to receive the Iridium satellite signals. They also mention that an E4000 RTL-SDR together with an LNA and appropriate home made antenna for frequencies in the ~1.6 GHz region can also be sufficient. Once they were able to receive signals they were then able to reverse engineer the signal and create several pieces of software to decode the pager messages. The code is available on their GitHub at https://github.com/muccc/iridium-toolkit.
The Ettus USRP B210 is an advanced $1,100 software defined radio that is capable of both transmit and receive. Balint, one of the researchers at Ettus, has posted a video showing how he was able to play a light hearted prank on some of his colleagues using the B210.