Tagged: POCSAG

TechMinds: OpenWebRX Feature Overview And Raspberry Pi Setup

Over on YouTube TechMinds has posted his latest video which shows an overview of the features available in OpenWebRX, and also how to set it up on a Raspberry Pi. OpenWebRX is software which allows you to access your SDR remotely via the internet or local network through a web browser. All major SDRs are supported including RTL-SDRs. The software includes a waterfall display, all the standard demodulators, as well as several digital decoders for DMR, YSF, NXDN, D-Star, POCSAG, APRS, FT8, FT4, WSPR, JT65 and JT9.

In the video TechMinds first demonstrates OpenWebRX in action, showing reception of HF SSB amateur radio signals, decoding FT8 and plotting received grids on a map, decoding and plotting APRS on a map and decoding YSF/DSTAR/DMR digital voice. After this demonstration he goes on to show how to set up the OpenWebRX server on a Raspberry Pi via the installation image.

OpenWebRX Feature Overview And Raspberry Pi Setup

Australian Teenager Exposes COVID-19 Patient Data via POCSAG Pager Network

A 15 year old Australian teenager has been accused of leaking sensitive COVID-19 patient data such as the phone numbers and addresses of people in quarantine, and conversations between health officials and doctors about COVID-19 patients. The leak occurred via a public web page that he had set up to share decoded POCSAG pager data that he received from his home.

Pagers are still typically used in many parts of the world by hospitals. It is a tried, tested and very reliable system for messaging, however most systems in the world send data out in unencrypted plain text for all to see. Anyone with a cheap scanner radio or $20 SDR and freely available software can decode every single message sent via paging from almost anywhere in a city as the signals are often extremely strong. Pagers are intended to be reserved for urgent infallible messaging, as paging is more reliable compared to mobile SMS since SMS messages do not always get through, or can be delayed by several minutes. Alternative secure communication channels such as SMS should be used for private information, however this protocol is not always followed due to the additional hassle.

The teen appears to have used either a Baofeng or RTL-SDR to receive the POCSAG pager signal available in his hometown in Western Australia. The pager signal was decoded with multimon-ng, and displayed via the PagerMon software. PagerMon creates a web page that displays pager messages in an easily readable format, and the page can be made accessible to the internet if desired. It seems that the teen is a scanner enthusiast, and did not intend to purposely leak patient data, however others found his PagerMon page and brought it to the attention of the media. His site has now been shut down, and officials have decided to shut down the pager system in favour of a double SMS system.

Some of the leaked messages via 9 News Perth
Some of the leaked pager messages via 9 News Perth

This is a story that repeats often all around the world. In the past we've seen whistleblowers report on patient data breaches in VancouverKansas, and via an art installation in New York that continuously printed out pager messages.

OpenEar Updated to Version 1.6

The RTL-SDR compatible multi-mode digital decoder OpenEar has recently been updated to version 1.6. The latest version currently supports the decoding of FM/AM, TETRA, DMR, Pocsag and ADS-B. New features include a zoomable waterfall and other GUI and functionality improvements. The changelog reads:

6/4/2020
version 1.6.0
- saving last settings
- waterfall
- zoom on spectrum and waterfall with mouse wheel
- better list placement (pocsag & ads-b)
- wav(I/Q) loading (only 1024000 Sample/sec)
- voice volume & mute button
- spectrum range and offset
- rtl gain and correction (ppm)
- top menu
- frequency list
- some DMR improvement on SYNC detection
- solved center frequency issue (DC problem)
- and other few UI improvements

OpenEar Version 1.6
OpenEar Version 1.6

OpenEar Now Supports TETRA, DMR, POCSAG, ADS-B

Back in March we posted about "OpenEar" which was a newly released Windows TETRA decoder for RTL-SDR dongles. Back then the author "moneriomaa" noted that he planned to add several new modes. In the release that is currently available, OpenEar now supports TETRA, DMR, Pocsag, ADS-B as well as standard AM and NFM modes. We tested the software, and all modes appear to decode as advertised. In the future the author plans to add more modes such as MPT-1327 and AERO.

In the previous post we added an update noting that OpenEar appeared to be violating the GPL licence of OsmocomTETRA, and the author noted that he would remove the TETRA functionality until licencing was resolved. As TETRA decoding is back in the recent releases we assume these legal issues have been solved.

In the current release you also need to provide your own rtlsdr.dll file, which can be obtained from your SDR# folder, or directly from the Osmocom windows release (rename librtlsdr.dll to rtlsdr.dll).

Latest OpenEar Version
Latest OpenEar Version

An Introduction to Pagers with the HackRF PortaPack and an RTL-SDR

Over on YouTube user HackedExistence has uploaded a video explaining how POCSAG pager signals work, and he also shows some experiments that he's been performing with his HackRF PortaPack and an old pager.

The Portapack is an add on for the HackRF SDR that allows the HackRF to be used without the need for a PC. If you're interested in the past we reviewed the PortaPack with the Havok Firmware, which enables many TX features such as POCSAG transmissions.

POCSAG is a common RF protocol used by pagers. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data [1][2][3] into the air for anyone with a radio and computer to decode.

In the video HackedExistence first shows that he can easily transmit to his pager with the HackRF PortaPack and view the signals on the spectrum with an RTL-SDR. Later in the video he explains the different types of pager signals that you might encounter on the spectrum, and goes on to dissect and explain how the POCSAG protocol works.

Intro to Pagers - POCSAG with HackRF

Vancouver Broadcasts Hospital Patient Data Over Unencrypted Wireless Pagers

Canadian based researchers from the "Open Privacy Research Society" recently rang the alarm on Vancouver based hospitals who have been broadcasting patient data in the clear over wireless pagers for several years. These days almost all radio enthusiasts know that with a cheap RTL-SDR, or any other radio, it is possible to receive pager signals, and decode them using a program called PDW. Pager signals are completely unencrypted, so anyone can read the messages being sent, and they often contain sensitive pager data.

Open Privacy staff disclosed their findings in 2018, but after no action was taken for over a year they took their findings to a journalist.

Encryption is available for pagers, but upgrading the network and pagers to support it can be costly. Pagers are also becoming less common in the age of mobile phones, but they are still commonly used in hospitals in some countries due to their higher reliability and range.

In the past we've seen several similar stories, such as this previous post where patient data was being exposed over the pager network in Kansas City, USA. There was also an art installation in New York called Holypager, that continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.

YouTube Tutorial: Decoding POCSAG and FLEX Pager Messages on Windows with PDW

Pager systems are famously known to be insecure, and due to the lack of encryption and high transmit power anyone with an RTL-SDR or other SDR can receive and decode pager messages. The users of pagers are mostly hospitals and doctors, and IT infrastructure professionals who need to be notified of server warnings and errors quickly. We have a text tutorial on decoding these messages with an RTL-SDR available here, and there are several previous posts discussing how insecure they are. 

If you prefer a video tutorial, M6LME on YouTube has recently uploaded one where he explains the PDW pager decoding software, the VB-Audio 'banana' audio mixing software, and how to use SDR-Console with an RTL-SDR and the aforementioned software to receive and decode the signal.

How to Decode POCSAG & FLEX using an RTL-SDR Dongle

RPiTX v2 Released: Easily Record and Replay with RTL-SDR and a Raspberry Pi

RPiTX is software for the Raspberry Pi which can turn it into a 5 kHz to 1500 MHz transmitter which can transmit any arbitrary signal. In order to transmit the software does not require any additional hardware apart from a wire plugged into a GPIO pin on the expansion header. It works by modulating the GPIO pin with square waves in such a way that the desired signal is generated. However, although additional hardware isn't required, if RPiTX is to be used in any actual application a band-pass filter is highly recommended in order to remove any harmonics which could interfere and jam other radio systems.

Earlier this month RPiTX was upgraded to version 2. One of the changes is a new GUI for testing the various transmission modes. Currently it is possible to transmit a chirp, FM with RDS, USB, SSTV, Opera, Pocsag, SSTV, Freedv. There is also a spectrum painter which allows you to display an image on a SDR's waterfall.

The RPiTX V2 GUI
The RPiTX V2 GUI
Painting an Image on a SDR Waterfall Display with RPiTX v2
Painting an Image on a SDR Waterfall Display with RPiTX v2

The RPiTX v2 update also makes recording a signal with an RTL-SDR, and replaying that signal with RPiTX significantly easier. Previously it was necessary to go through a bunch of preprocessing steps (as described in our previous tutorial) in order to get a transmittable file, but now RPiTX is capable of transmitting a recorded IQ file directly. This makes copying things like 433 MHz ISM band remotes significantly easier. One application might be to use RPiTX as an internet connected home automation tool which could control all your wireless devices.

Finally, another application of the RPiTX and RTL-SDR combination is a live RF relay. The software is able to receive a signal at one frequency from the RTL-SDR, and then re-transmit it at another frequency in real time. Additionally, it is also capable of live transmodulation, where it receives an FM radio station, demodulates and then remodulates it as SSB to transmit on another frequency.

The RPiTX V2 RTL-SDR Menu
The RPiTX V2 RTL-SDR Menu
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.
RPiTX v2 re-transmitting a broadcast FM signal live at 434 MHz.