This document discusses the use of pagers in various sectors and the potential security issues with pager communications. It begins with an introduction to pager protocols like POCSAG and FLEX. It then analyzes sniffed pager data from the healthcare, industrial, and public sectors. It finds instances of protected health information, prescription data, and facility alarm messages. The document warns that spoofing pages could allow impersonating users or moving patients without consent. It concludes pager communications may need encryption to prevent privacy leaks and potential spoofing attacks.

1. Code BROWN in the Air
33C3
Philippe Lin @miaoski
Stephen Hilt @sjhilt

2. Code BROWN
Medical lingo spoken by EMS and emergency
room personnel to denote a patient who is
incontinent of feces. (Urban Dictionary)
2

3. Why Pagers?
•Integrated with healthcare workflow
•SMS-to-Pager
•Email-to-Pager
3

4. Legal Disclaimer
It might be illegal to
• Sniff and store the data
• Sniff but not store the data
• Decrypt
Hint: NSA works with metadata.
It IS illegal to Spoof.
4

5. Huh? It’s already 2016
•To avoid interference
•Places with weak cellular signal
•Physical security standard for SCIF
(Sensitive Compartmented Information Facilities)
5
PHS J-88

6. In Germany as well
POCSAG1200: Address: 189xxxx Function: 3
Alpha: 5:p now! Erectile dysfunction is not a thing to
discuss with Tom, Dick, and Har
6
CityRuf in Germany. Picture from https://de.wikipedia.org/wiki/E*Cityruf

7. Agenda
•Introduction to pagers & protocols
•Healthcare sector
•Industrial sector
•Public sector and partners
•Spoof ?
7

8. Introduction
8

9. History of Pagers
•Launched in 1950’s in Hospitals in NYC
–$12 a month for 25 miles of coverage
•1962 Bell System: radio paging system at the
Seattle World’s Fair
•2001 Motorola stopped making new pagers.
•Multiple Protocols in use
–POCSAG
–FLEX
–ReFlex, Golay, Inmarsat, Iridium, etc.
9
Source: Wikipedia

10. 10
Pagers Once a Symbol of Cool
In TAIWAN
520 = I love you
530 = I miss you
000 = Kisses
881 = Bye
7788250 = you f* moron
744 = Go to hell
In USA
143 = I love you
607 = I miss you
406 = Hugs and kisses
911 = Call me now
601 = Happy B-Day
1134209 = Go to hell

11. Protocol - POCSAG
•Post Office Code Standardization Advisory
Group
–512, 1200 and 2400 bps
–Bandwidth 9 kHz, FSK
11
Source: http://www.raveon.com/pd les/AN142(POCSAG).pdf.
32-bit FSC

12. Protocol - FLEX
12
• By Motorola
• 1600, 3200 or 6400 bps
• Bandwidth 5 kHz, FSK or 4FSK
• Time syncs instead of always listening for a preamble
to save battery
• 128 Frames in 4 minute time cycle, 15 cycles per
hour

13. Frequencies
13
•Primary focused areas for our research
Country Frequency (MHz) Protocol
USA
928.964, 929.015, 929.359,
929.562, 929.585, 929.612,
929.630, 929.663, 929.683,
929.785, 929.887, 930.263,
930.762, 930.788, 931.012,
931.038, 931.063, 931.113,
931.463
FLEX
Canada 929.212, 931.612 FLEX
Japan
282.0125, 283.0850,
283.7625, 283.8625
POCSAG

14. Setup to Sniff Pages
•POCSAG and FLEX
•All can be sniffed with a DVB-T Dongle
•~ $20 at Hak5, Amazon, etc.
14

15. Setup to Sniff Pages
15

16. GQRX
•Identify the protocols (GQRX, SDR#)
16
POCSAG
FSK
9 kHz

17. pager_rx.py
•GNU Radio Python script that sniffs FLEX
protocol
•Multiple frequencies at the same time
17
https://github.com/argilo/sdr-examples

18. Breakdown of Data
Data Type Count Percentage
Alphanumeric 18,291,876 34
Tone 8,573,736 16
Numeric 7,715,586 14
SPN* 5,354,497 10
Secured 5,338,516 10
NNM* 4,132,483 8
Unknown 3,044,570 6
Binary 1,868,499 3
18
* We don’t know what they are.
•Research period: Feb – Jun, ‘16

19. Healthcare
19

20. How are Pagers Used
•Nurse/Workflow
Management
•Pharmacy
•General Communications
20

21. Nurse/Workflow Management
• Self-scheduling and schedule at discharge
• 911  Transfer  Preparation before patient’s
arrival
21

22. Nurse/Workflow Management
• Self-scheduling and schedule at discharge
• 911  Transfer  Preparation before patient’s
arrival
• Reduced wait time
• Improved efficiency in admission, discharge,
transfer, and housekeeping
• Personalized information, so hospital workers only
receive relevant messages
• Reduced cost while increasing patients’ satisfaction
22

23. Nurse/Workflow Management
• NaviCare®
• Curaspan™
23

24. Nurse/Workflow Management
• InQuicker
• EpicSys
24

25. Nurse/Workflow Management
25
Email relay 787,008 69%
NaviCare 85,320 7%
McKesson Awarix 77,695 7%
Agility Healthcare
(GE Healthcare)
61,998 5%
MediTech 59,361 5%
EpicSys 31,075 3%
TenetHealth 30,961 3%
SMS 5,800 1%
InQuicker 5,647 0%
Curaspan 1,055 0%

26. PHI - Protected Health Information
26
Email 805,609 28%
Medical terms 647,745 23%
English names 510,313 18%
Syndromes / Diagnosis 399,862 14%
Medicine on FDA drug list 164,117 6%
Phone numbers 124,949 4%
Date of birth, age, gender 110,708 4%
Medical reference number 90,124 3%
URL 6,371 0%

27. Top Medical Terms
27
Phleb 85,079
EKG 35,138
Sepsis 29,430
Xray 20,218
Ortho 12,591
Kidney 11,197
Anemia 10,988
Cellulitis 10,124
Resistivity 9,594
Dyspnea 8,417
Anesthesia 7,752
Atrial 6,767
Hemorrhage 6,529
Troponin 6,262
Nebulizer 6,107

28. Pharmacy
28

29. Top Prescriptions
29
Albuterol (a common bronchodilator) 23,175
Tylenol 6,134
Duoneb (treats COPD and asthma) 5,586
Coumadin (AKA Warfarin) 5,240
Ipratropium 5,020
Zofran (prevents nausea and vomiting) 4,844
Heparin (prolongs blood clotting time) 4,238
Insulin 4,197
Acetaminophen 3,669
Ativan (a benzodiazepine tranquilizer) 3,630
Ondansetron (treats vomiting) 3,545
Lasix (treats uid retention in people with
congestive heart failure, etc.)
3,278
Vancomycin (last-line antibiotics) 3,029
Morphine 2,763
Nikki (treatment of moderate acne vulgaris) 1,554

30. Organ Donors
30

31. Home Care / Death
31

32. CallerID System
32
135 patients’ names, phone numbers, pregnancy statuses, birthdates, as well as
information on illnesses and symptoms.

33. Industrial
33

34. SMS to Pager Gateway
34
callee
Make phonebook

35. Using SMS to Pager Gateway
•CallXPress : Speech-to-text summary
•SPOK : Former USA Mobility
•CallerID  Yellow page
•Callee  Capcode
35

36. Using Email to Pager Gateway (1)
•WhosCalling : Email for missed calls
•WebCTRL®: BAS from Automated Logic
Subject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller
BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM)
•METASYS®: BAS from Johnson Controls
MSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC
» FQR fully qualified references
36

37. Using Email to Pager Gateway (2)
•Easy to identify the location of events
37

38. IT Industry (1)
38
WhatsUp Gold / ARSystem / Nagios / NETBIOS

39. IT Industry (2) - Passcodes
•System may be deployed in sensitive sectors
39

40. Security Industry
• CVE-2016-0068 Microsoft® Internet Explorer® Elevation of Privilege Vulnerability
• CVE-2016-0936 Adobe® Acrobat® Memory Corruption Vulnerability
• CVE-2016-0938 Adobe Reader® and Acrobat Memory Corruption Vulnerability
• CVE-2014-1791 Microsoft Internet Explorer Memory Corruption Vulnerability
• CVE-2016-0007 Microsoft Windows Mount Point Privilege Escalation Vulnerability
• CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability
• CVE-2014-0526 Adobe PDF Reader Encoding DCT Vulnerability
• CVE-2015-1666 Internet Explorer CMetaElement code execution
• CVE-2016-0966 Adobe Flash® Player Memory Corruption Vulnerability
• CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability
• CVE-2016-0098 Apache Server Multiple Vulnerabilities
• Apache mod_cgi Bash Environment Variable Code Injection
• Mozilla Firefox nsFrameManager Remote Code Execution Vulnerability
40

41. Power Plants
From [NAME AND COMPANY REDACTED].com Sub:[PLACE REDACTED]
Critical Path Update Msg:During U2 Turbine Roll, a steam leak was identified
on the *-****-*** valve (SV1 Vent Isolation Valve). Steam leak cannot be
isolated ...
From: [EMAIL REDACTED]- Due to storm, we lost the steam plant
momentarily, there are downed trees and lines are down. Generators are
running for bldgs. that lost power.
I [PHONE NUMBER REDACTED] Local IA [COMPANY NAME REDACTED]
ENVIRONMENTAL [LOCATION REDACTED]/IA [DATETIME] AC POWER
FAIL DUE TO SYSTEMS UPGRADE. SITE ON BATTERIES. PLANT
VOLTAGE 48.18V
41

42. Chemical Companies (1)
VA0095 - ***** A61 (8D05F,1) 6SDA0 00410668 00410670 0045D39A
0044D50C [.S/W] SN:546793 ST:ER LC:1 03/10/16 14:17:07 [15]
VA0095 - ***** A61 (8D05F,1) 8SDXX stack dump ends [.S/W] SN:546917
ST:ER LC:1 03/10/16 14:17:07 [79]
MAKE UP AIR UNIT 1 HI ALARM *****/MUA1/DATEMP Crit1 10.07 Deg C
RTC CLEANROOM ALARM *****/CLEAN-RM/FL-LWLVL Crit1
42

43. Chemical Companies (2)
F***_***FAB1-02, Measuring Bath Level Sensor Trouble
F***_***FAB1-02, Mixing Tank B Mixing Fail
FAB1_***HOD-01, Drum A Empty
FAB1_***HOD-01, Unit Door Open (Drum Zone
FAB1_***BAD-01, Day Tank Level Low Alarm
FAB1_***BAD-01, Distribution Outlet Pressure High - PT-30
FAB1_F1-********-***-***, Unit End Point Pressure High
***-Monitoring-***relay: [DATETIME] (RTN) FAB2 Acid Scrubber 1E PH has exceeded
Low Warning Alarm. [ AT_******_AVG (5.128) < 7.25 for 60 sec ] <TopView is licensed
to [COMPANY] - System 1>
43
TopView® is an alarm management and alarm notification system developed by Exele Information Systems.

44. From: WebCTRL@***.com Subject: **** AHU-1 (High Bay) - High Space Particle Count
(Level 2): Alarm – [DATETIME]: The space Particle Count is too high: West: 72
cnts/SCF / East: 15253 cnts/SCF (!PC_HI2)
From: tridium@***.com Subject: Alarm From **_Boiler_2_Supply_Temp - State: Normal
From:MetasysNotification@***.org Subj:Bacnet Alarm [DATETIME] SEWAGE-HIGH-
WATER-A Fault 70.Value Normal .Item Description Sewage Ejection Pump High Alarm
HVAC
44

45. Public Sector and Partners
45

46. Personal Messages
• In public sectors and partners.
• Contract number, name, phone
46

47. CallerID System
•Make a yellow page
•Recon
» Impersonate the most frequent sender?!
47

48. Voicemail Summary
•Like CallXPress, might be another system
48

49. Recon
• Alice (505*******), mostly called by Rose (505*******)
• Aaron (505*******), mostly called by unknown (505*******)
• Bruce (--), mostly called Nancy (505*******)
• Charles (--), whose mother is Elizabeth (505*******)
• Charles (--), whose wife is Jenny (505*******)
• David (--), whose wife is Carol (505*******)
• Fred (--), whose wife or girlfriend is Kate (505*******)
49

50. Parcels
50

51. Send a Message
51

52. Spoofing
52

53. Spoofing Pages (gr-mixalot)
53
https://github.com/unsynchronized/gr-mixalot

54. Spoofing Pages (gr-mixalot)
54
https://github.com/unsynchronized/gr-mixalot
Multimon-ng

55. Attacks
• Healthcare
– Sending pages to the pharmacy for medication
– Moving patients within facilities
– Declaring an emergency inside facilities
– Intercepting calls from the officiating doctors
• Public Sector
– Social engineering
– Impersonate a contractor
– Recon for sensitive places
55

56. Conclusions
• Stop using pagers OR encrypt everything
• Don’t leak personal information if pagers are
absolutely required
• Small leaks  make database  big harms
56

57. Questions?
• http://www.trendmicro.com/vinfo/us/security/news/
cyber-attacks/leaking-beeps-pagers-leaking-confidential-
information
Search: Leaking Beeps
or
Download the slides at https://goo.gl/SxrU2t
57
@sjhilt @miaoski

58. Backup Slides
58

59. Japan
•Interesting pages
–40104940691637104840
59https://github.com/argilo/sdr-examples

60. SCIF
Physical Security Standards for SCIFs,
part of Director of National Intelligence’s (DNI) intelligence
community policy memorandum
https://fas.org/irp/dni/icpm/2005-700-1-att1.pdf
60