This document discusses the use of pagers in various sectors and the potential security issues with pager communications. It begins with an introduction to pager protocols like POCSAG and FLEX. It then analyzes sniffed pager data from the healthcare, industrial, and public sectors. It finds instances of protected health information, prescription data, and facility alarm messages. The document warns that spoofing pages could allow impersonating users or moving patients without consent. It concludes pager communications may need encryption to prevent privacy leaks and potential spoofing attacks.
4. Legal Disclaimer
It might be illegal to
• Sniff and store the data
• Sniff but not store the data
• Decrypt
Hint: NSA works with metadata.
It IS illegal to Spoof.
4
5. Huh? It’s already 2016
•To avoid interference
•Places with weak cellular signal
•Physical security standard for SCIF
(Sensitive Compartmented Information Facilities)
5
PHS J-88
6. In Germany as well
POCSAG1200: Address: 189xxxx Function: 3
Alpha: 5:p now! Erectile dysfunction is not a thing to
discuss with Tom, Dick, and Har
6
CityRuf in Germany. Picture from https://de.wikipedia.org/wiki/E*Cityruf
9. History of Pagers
•Launched in 1950’s in Hospitals in NYC
–$12 a month for 25 miles of coverage
•1962 Bell System: radio paging system at the
Seattle World’s Fair
•2001 Motorola stopped making new pagers.
•Multiple Protocols in use
–POCSAG
–FLEX
–ReFlex, Golay, Inmarsat, Iridium, etc.
9
Source: Wikipedia
10. 10
Pagers Once a Symbol of Cool
In TAIWAN
520 = I love you
530 = I miss you
000 = Kisses
881 = Bye
7788250 = you f* moron
744 = Go to hell
In USA
143 = I love you
607 = I miss you
406 = Hugs and kisses
911 = Call me now
601 = Happy B-Day
1134209 = Go to hell
12. Protocol - FLEX
12
• By Motorola
• 1600, 3200 or 6400 bps
• Bandwidth 5 kHz, FSK or 4FSK
• Time syncs instead of always listening for a preamble
to save battery
• 128 Frames in 4 minute time cycle, 15 cycles per
hour
13. Frequencies
13
•Primary focused areas for our research
Country Frequency (MHz) Protocol
USA
928.964, 929.015, 929.359,
929.562, 929.585, 929.612,
929.630, 929.663, 929.683,
929.785, 929.887, 930.263,
930.762, 930.788, 931.012,
931.038, 931.063, 931.113,
931.463
FLEX
Canada 929.212, 931.612 FLEX
Japan
282.0125, 283.0850,
283.7625, 283.8625
POCSAG
14. Setup to Sniff Pages
•POCSAG and FLEX
•All can be sniffed with a DVB-T Dongle
•~ $20 at Hak5, Amazon, etc.
14
22. Nurse/Workflow Management
• Self-scheduling and schedule at discharge
• 911 Transfer Preparation before patient’s
arrival
• Reduced wait time
• Improved efficiency in admission, discharge,
transfer, and housekeeping
• Personalized information, so hospital workers only
receive relevant messages
• Reduced cost while increasing patients’ satisfaction
22
26. PHI - Protected Health Information
26
Email 805,609 28%
Medical terms 647,745 23%
English names 510,313 18%
Syndromes / Diagnosis 399,862 14%
Medicine on FDA drug list 164,117 6%
Phone numbers 124,949 4%
Date of birth, age, gender 110,708 4%
Medical reference number 90,124 3%
URL 6,371 0%
35. Using SMS to Pager Gateway
•CallXPress : Speech-to-text summary
•SPOK : Former USA Mobility
•CallerID Yellow page
•Callee Capcode
35
36. Using Email to Pager Gateway (1)
•WhosCalling : Email for missed calls
•WebCTRL®: BAS from Automated Logic
Subject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller
BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM)
•METASYS®: BAS from Johnson Controls
MSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC
» FQR fully qualified references
36
37. Using Email to Pager Gateway (2)
•Easy to identify the location of events
37
39. IT Industry (2) - Passcodes
•System may be deployed in sensitive sectors
39
40. Security Industry
• CVE-2016-0068 Microsoft® Internet Explorer® Elevation of Privilege Vulnerability
• CVE-2016-0936 Adobe® Acrobat® Memory Corruption Vulnerability
• CVE-2016-0938 Adobe Reader® and Acrobat Memory Corruption Vulnerability
• CVE-2014-1791 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2016-0007 Microsoft Windows Mount Point Privilege Escalation Vulnerability
• CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability
• CVE-2014-0526 Adobe PDF Reader Encoding DCT Vulnerability
• CVE-2015-1666 Internet Explorer CMetaElement code execution
• CVE-2016-0966 Adobe Flash® Player Memory Corruption Vulnerability
• CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability
• CVE-2016-0098 Apache Server Multiple Vulnerabilities
• Apache mod_cgi Bash Environment Variable Code Injection
• Mozilla Firefox nsFrameManager Remote Code Execution Vulnerability
40
41. Power Plants
From [NAME AND COMPANY REDACTED].com Sub:[PLACE REDACTED]
Critical Path Update Msg:During U2 Turbine Roll, a steam leak was identified
on the *-****-*** valve (SV1 Vent Isolation Valve). Steam leak cannot be
isolated ...
From: [EMAIL REDACTED]- Due to storm, we lost the steam plant
momentarily, there are downed trees and lines are down. Generators are
running for bldgs. that lost power.
I [PHONE NUMBER REDACTED] Local IA [COMPANY NAME REDACTED]
ENVIRONMENTAL [LOCATION REDACTED]/IA [DATETIME] AC POWER
FAIL DUE TO SYSTEMS UPGRADE. SITE ON BATTERIES. PLANT
VOLTAGE 48.18V
41
42. Chemical Companies (1)
VA0095 - ***** A61 (8D05F,1) 6SDA0 00410668 00410670 0045D39A
0044D50C [.S/W] SN:546793 ST:ER LC:1 03/10/16 14:17:07 [15]
VA0095 - ***** A61 (8D05F,1) 8SDXX stack dump ends [.S/W] SN:546917
ST:ER LC:1 03/10/16 14:17:07 [79]
MAKE UP AIR UNIT 1 HI ALARM *****/MUA1/DATEMP Crit1 10.07 Deg C
RTC CLEANROOM ALARM *****/CLEAN-RM/FL-LWLVL Crit1
42
43. Chemical Companies (2)
F***_***FAB1-02, Measuring Bath Level Sensor Trouble
F***_***FAB1-02, Mixing Tank B Mixing Fail
FAB1_***HOD-01, Drum A Empty
FAB1_***HOD-01, Unit Door Open (Drum Zone
FAB1_***BAD-01, Day Tank Level Low Alarm
FAB1_***BAD-01, Distribution Outlet Pressure High - PT-30
FAB1_F1-********-***-***, Unit End Point Pressure High
***-Monitoring-***relay: [DATETIME] (RTN) FAB2 Acid Scrubber 1E PH has exceeded
Low Warning Alarm. [ AT_******_AVG (5.128) < 7.25 for 60 sec ] <TopView is licensed
to [COMPANY] - System 1>
43
TopView® is an alarm management and alarm notification system developed by Exele Information Systems.
44. From: WebCTRL@***.com Subject: **** AHU-1 (High Bay) - High Space Particle Count
(Level 2): Alarm – [DATETIME]: The space Particle Count is too high: West: 72
cnts/SCF / East: 15253 cnts/SCF (!PC_HI2)
From: tridium@***.com Subject: Alarm From **_Boiler_2_Supply_Temp - State: Normal
From:MetasysNotification@***.org Subj:Bacnet Alarm [DATETIME] SEWAGE-HIGH-
WATER-A Fault 70.Value Normal .Item Description Sewage Ejection Pump High Alarm
HVAC
44
49. Recon
• Alice (505*******), mostly called by Rose (505*******)
• Aaron (505*******), mostly called by unknown (505*******)
• Bruce (--), mostly called Nancy (505*******)
• Charles (--), whose mother is Elizabeth (505*******)
• Charles (--), whose wife is Jenny (505*******)
• David (--), whose wife is Carol (505*******)
• Fred (--), whose wife or girlfriend is Kate (505*******)
49
55. Attacks
• Healthcare
– Sending pages to the pharmacy for medication
– Moving patients within facilities
– Declaring an emergency inside facilities
– Intercepting calls from the officiating doctors
• Public Sector
– Social engineering
– Impersonate a contractor
– Recon for sensitive places
55
56. Conclusions
• Stop using pagers OR encrypt everything
• Don’t leak personal information if pagers are
absolutely required
• Small leaks make database big harms
56
60. SCIF
Physical Security Standards for SCIFs,
part of Director of National Intelligence’s (DNI) intelligence
community policy memorandum
https://fas.org/irp/dni/icpm/2005-700-1-att1.pdf
60
Editor's Notes
i.e. someone shits
GREAT AGAIN!
Gateways
More data, less protocol
US / Canada, also worldwide
License or not. Bastian Bloessl
Sniff clear text data
Consult a lawyer.
devices without recording or transmission capabilities
Widipedia: still being used in Germany
Spam in English
Systemic impact in ...
Public sector = government
Not until Early ’90s, pagers are hot
Schneider talked about Iridium
Numeric expressions
G’ old time!
Frame Synchronization Code
Frequency-shift keying
So we use GNU Radio and multimon-ng (thanks to authors + contributors)
Don’t want to build from scratch
Taiwan 165-166 and 280 MHz. Stopped in 2011/E.
Belt, PH, not used in hospital anymore.
Also, cooler setup
SDR
Fancy setup HackRF One + Ettus Log periodic LP410 (400MHz to 1GHz)
Ettus B210
BladeRF antenna
Clayton Smith
Waterfall, click, see what’s in channel
Based on the freqs, modify Python script.
Duplicated, reflexing, group call
Integrated into workflow
Make appointment
Clean bed, wheelchair, medication
ED – reduce wait
capcode
ED – reduce wait
capcode
CPC = Chest Pain Center // angina=CP
Clinical Workflow Solutions provided by Hill-Rom®, including Nurse Call, Bed Connectivity, SmartConnect Integrations, Wireless Handsets, etc.
Curaspan is a company of workflow automation
EpicSys is written by epic.com, coordinating healthcare organizations and stores patients’ electronic records.
We saw email-pager gateway, bed status and medical orders.
Market share? (kidding)
Unable to identify vendor = email relay
HIPPA violation a lot
Health Insurance Portability and Accountability Act of 1996
Wrote program to calculate
List of medical terms
Data are biased. Msg sent multiple times
Phleb = vein
Sepsis 敗血 Hemorrhage 腦溢血 Anemia 貧血 Cellulitis 蜂窩性組織炎
Tryptophan Hydroxylase
MRN + room + name + age + gender + phone? + DX + medicin