Several years ago back in 2013 and 2014 we uploaded two posts showing how it was possible to use an SDR to listen in to restaurant pagers and collect data from them, and also to spoof their signal and activate them on demand. If you were unaware, restaurant pagers (aka burger pagers), are small RF controlled discs that some restaurants hand out to customers who are waiting for food. When the food is ready, the pager is remotely activated by the staff, and then flashes and buzzes, letting the customer know that their order can be picked up.
Over on YouTube user Tony Tiger has uploaded a video that shows an overview on how to reverse engineer the signal coming from a particular brand of restaurant pagers. The tools he uses include a HackRF SDR and the Inspectrum and Universal Radio Hacker software packages. If you're interested in reverse engineering signals, this is a good overview. Later in the video he shows a GNU Radio and Python program that he's created to control the pagers.
It has been a known open secret that for years many hospitals have been transmitting sensitive patient data over the air completely unencrypted via their pager network. With a simple ultra cheap radio such as an RTL-SDR, or any other cheap radio scanner such as a Baofeng, it is possible to eavesdrop on this sensitive data with very little technical knowledge required. Hospitals appear to be reluctant to upgrade their systems despite clearly being in violation of HIPAA privacy regulations in the USA.
Recently, @WatcherData has been trying to bring attention to this ongoing security breach in his home state of Kansas, and last month was able to get a news article about the problem published in the Kansas City Star newspaper. Over on Twitter he's also been actively documenting breaches that he's found by using an RTL-SDR to receive the pager messages.
Interestingly, publicity generated by @WatcherData's newspaper article has brought forward a hostile response from the hospital in question. Over on Reddit /r/legaladvice, a forum where anyone can ask legal advice questions, @watcherdata posted the following:
I discovered some time ago that hospitals throughout my region of the US are sending messages to physician pagers that include the name, age, sex, diagnosis, room number, and attending physician. These can be seen by anyone with a simple RTL SDR device, and a couple of free programs.
This seems like a massive HIPAA violation. So I contacted the main hospital sending out most of the information, and they were extremely grateful. I got a call within a day from a high level chairman, he explained their steps to remediate, that their auditors and penetration testers missed it, and that they would have it fixed within a week. Sure enough, they started using a patient number and no identifiable information in the pages. A couple of other hospitals have fixed their systems too, after I started contacting them via Twitter.
Early on in this process, I contacted my local newspaper. They reached out to the hospital in question, and were met with a "very hostile" response. They immediately deflected from any HIPAA violations and explained that I (the source) am in violation of the Electronic Communications Privacy Act of 1986.
This was enough to scare me off completely. I've nuked all log files from my systems and stopped collecting data. The reporters want to know how I would like to proceed. Originally, I was going to get full credit for the find in their article. But now, I at least need to be anonymous, and am thinking about asking them not to run the story at all.
Among the replies there doesn't seem to be consensus on whether simply receiving pager messages in the USA is legal or not.
In the past we've seen similar attempts to bring attention to these privacy breaches, such as an art installation in New York called Holypager, which simply continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.
Over on YouTube Jack Riley has created a video that documents his system which uses an RTL-SDR to receive POCSAG pager messages and forward messages sent to specific pager addresses to an email address. He uses his RTL-SDR on a Raspberry Pi, together with rtl_fm and multimon-ng to receive and decode the pager messages.
Then using a custom program that is available on his website he filters messages for a particular 'capcode' which indicates the address of a particular pager. When a pager message to the specified capcode address is received, the program turns the message into an email which is instantly sent out.
This is a nice way to forward pager messages on to a more modern device such as a smart phone.
Creating a Pager using a Raspberry Pi and RTL-SDR to send alerts via Email.
A few days ago the Chaos Communications Congress (a technology and hacking focused conference) commenced. Amongst the talks there was one about reverse engineering the Iridium satellite paging system using software defined radio. Iridium satellites provide global communications via special satellite phones, pagers and other transceivers.
In the talk the speaker shows how they used a USRP radio together with a cheap active iridium antenna, a bandpass filter and an LNA to receive the Iridium satellite signals. They also mention that an E4000 RTL-SDR together with an LNA and appropriate home made antenna for frequencies in the ~1.6 GHz region can also be sufficient. Once they were able to receive signals they were then able to reverse engineer the signal and create several pieces of software to decode the pager messages. The code is available on their GitHub at https://github.com/muccc/iridium-toolkit.
The Ettus USRP B210 is an advanced $1,100 software defined radio that is capable of both transmit and receive. Balint, one of the researchers at Ettus, has posted a video showing how he was able to play a light hearted prank on some of his colleagues using the B210.