December 2, 2018 in Cybersecurity by Volkor9 minutes
or - How I 'hacked' a hospital
Danger
This is easily the scariest thing I’ve ever done with my PC.
I haven’t said anything on here about my little hobby of SDR’s, so I’ll explain what it is, SDR stands for Software Defined Radio (basically a computer programmable radio), this has been popularised by the RTL-SDR, which allows you to listen from around 22mhz up to 1700mhz of the radio spectrum. (unless you buy a cooler one)
My current SDR is some dodgy Chinese one I got from eBay, and a slightly better than the stock antenna I got from https://www.rtl-sdr.com. Normally these RTL-SDR’s aren’t used as a SDR, they’re just a TV tuner for the computer that you can hack and use as a generic signal receiver.
I’ve been messing around with SDR’s for the last year or so, but only really on the websdr sites, and only got really into the physical SDR stuff more recently.
After a while of messing around with Aircraft tracking, I got fairly bored since I can’t mount my antenna properly (yet) I decided to check out sigidwiki for any other signals I could find and identify…. So turns out my nearby hospital uses unencrypted pagers for communicating to ambulances.
The pagers use a standard called POCSAG (Post Office Code Standardization Advisory Group) made by the British Post Office, which supplied all telecommunication networks at the time. The standard allows for ascii communication over the radio, these signals are extremely easy to detect and read from an SDR setup. Since the hospital is relatively close by, the signal is quite strong.
This is where the ‘fun’ begins. Turns out the hospital dispatches all ambulances to new locations with these pagers… sent in clear text.. over a simple to read radio frequency that can be picked up with a $26 radio antenna.
So…. not really understanding what or who is sending these, I checked the weather to make sure I wasn’t about to blow up my computer from a stray lightning strike, set the SDR to log all POCSAG, decoding and logging to a file.
I wake up and find (something similar to) this:
POCSAG512: Address: 42069 Function: 0 Alpha: @@E13578357533 SIG2 BGDO3467 REQ0420 DSP421 LOC 69 ACTUALLY ST IMAGINARY SUBURB /DATA-PYRAMID RD //GOES HERE ST FWWA NW 1234 K1 CC: 2E2 - FOOT PAIN:NOT ALERT Prob TOE BUMPED BROKEN Pat: 1 Age:28 Years Gen:M
Honestly.. Gibberish to me, but the fact that I’ve just logged an entire nights worth of broken bones and other fun symptoms, I’m not that dense… I asked a few mates who are doctors.
With their help, I was able to break it down into the following, Additional information and guesses are in sub text.
So we’ve decoded the headers, sort of, the actual standard of messaging can differ, shown below is the most common for hospitals and ambulances.
So, putting this together, this one report tells us that (at least) before 4:20am, a 28-year-old male, at 69 Actually Street, Imaginary suburb has called the ambulance because of foot pain, the likely cause of foot pain is a broken toe. The ambulance was dispatched at 4:21am.
That’s a lot of information. like, A LOT of information. I’ve completely fabricated all the details of this example, and all unknown information is random, but this amount of data is a massive privacy problem.
During the logging, there was around 500 Logged entries, with some duplicates sent to multiple Addresses.
The total duration of the logging was around 20 hours of collection.
Caution
This data in the example is real, only redacting potentially identifiable information, and stuff that would land me in trouble for posting.
So, enough with all the automated pager calls to ambulances, let’s focus on something a little more personal.
Not only are these pagers used for talking to ambulances, but they are also used for talking between staff of a hospital. I think this is a nice example.
Additionally, since I was logging multiple frequencies, this could be used by the SES or fire bridgade to communicate, so this may include messages from them.
CRSK - ALL GOOD TO HEAD HOME AFTER YOU GRAB YOUR COFFEE GUYS - THANKS FOR COVERING - MS :)
Whoever MS is, they’re happy that they had someone to cover for them. This seems alright until you realise that these doctors/fireys are led to believe that their custom system is secure, so they transmit slightly more interesting stuff.
MAS: SAFETY - UNIT 2 [NAME REDACTED] CAUTION - PREVIOUS DEALINGS AT THIS ADDRESS INVOLVING A FEMALE KNOWN AS [NAME REDACTED] WHO HAS HISTORY OF VIOLENCE ETC TOWARDS AV AND/OR OTHER RESPONDERS. PLEASE TRY TO ASCERTAIN IF THIS PERSON IS PRESENT OR INVOLVED IN THE AV CALL AND ASCERTAIN IF THERE IS ANY INDICATION OF A CRIME BREACH OF THE PEACE OR ANY THREAT TO AV STAFF WHICH REQUIRES POLICE ATTENDANCE AND THEN UPDATE THE CAD EVENT BEFORE FORWARDING TO POLICE. QRT(Part 1 of 2)
Seems like a respectable person. (AV = Ammbulance Victoria)
G'DAY, POLICE ARE ASKING IF THE BIKE CAME FROM THE ROAD INTO THE HOUSE OR IF IT WAS RIDING AROUND THE HOUSE? CHEERS, [REDACTED] .
And for something more in the christmas season! 🎄
ON THE SECCOND DAY OF XMAS THERE WAS ANOTHER CRAZY OPTIMA MOVE, JUMP UP ON AIR ON CH [CHANNEL REDACTED] WITH A HO HO AND PLEASE MOVE TO [LOCATION REDACTED] FOR COVER AND YOUR ECHO IF YOUR IN YOUR WINDOW. HAVE A SAFE DRIVE CHEERS [NAME REDACTED]
This is the one that scares me. Ambulance gets a call to get to someone’s house, and are unable to get access to the property. Now suddenly I’m intercepting messages with the locations of peoples house keys. Uh oh.
3467 KEY LOC ATTACHED TO LOWER RAIL OF BALLUSTRADE AT FRONT DOOR BEHIND POT PLANT
One that piqued my interest was this message, (code changed for stupidly obvious reasons here) seemlying a keypad combination. Over the logging period I saw this multiple times, with the same sender and the code constantly changing.
Asking my mates for help again, we figure it’s likely the combination to the locked medicine/chemical storage room(s) in the hospital itself… Yikes.
KEYLOCK LOCATED AT FRONT DOOR CODE 6365
(actual code changed for insanely obvious reasons)
Now, I’m a nice good boy who’s not doing anything with this information that I’ve spend some time logging (well… except write this post).
But what could someone do who isn’t a good boy? Here’s a quick list of the stuff I thought up in a few minutes.
Thankfully it’s illegal to use any of this data for any purpose, but not really illegal to listen in.
I mean though, criminals don’t have much of a record for following the rules.
The fun part is, they tried to set this up under an encrypted system, as shown in this ABC article
This was in 2014, and they were not likely to set up encryption, as our government believes it’s more important to spend money elsewhere, instead of keeping our own private medical data private.
Making a Law saying that it’s illegal to use for any purpose isn’t good enough when they’re effectively shouting everyone’s medical data on a crowded train, and then punishing anyone who just happens to hear them.
This is the part that scares me to write, but the only way to get anyone really to notice is for more people to see first hand what the hell is happening.
You’ll need:
All you need to do is hook up the SDR to your PC, and install gqrx, and multimon-ng. Then look up your local POCSAG frequency (check the signal identification wiki page!) Run gqrx, click the ‘UDP’ button and go to the correct frequency, tune to Narrow FM and then run multimon-ng with:
nc -l -u 7355 | sox -t raw -esigned-integer -b16 -r 48000 - -esigned-integer -b16 -r 22050 -t raw - | ./multimon-ng -t raw -a SCOPE -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -
You should see a nice window with a wave graph of the audio and when you see the pocsag signal it should start decoding. You’ll end up with a line in your terminal with what was sent.
This is just a really quick ‘guide’ showing how I did it for my system, so please do your own research, and definitely make sure you’re clear on the legality of doing this in your area. Ideally only parsing/logging signals you’re allowed to legally receive. If you get stuck with my poor attempt at a guide, there are youtube videos and better guides you can follow.
So… Yeah…
If you find any invalid data, or have any comments, please comment :)