 Hey everyone, welcome to my talk pandemic and plain text. My name is Troy aka wave guide on Twitter I'm an RF engineer in the aerospace industry I was formerly a security engineer in the access control and lock industry for a number of years I also host the channel over a hacker warehouse dot TV And I just wanted to give a special thanks to IOT village and to Defcon safe mode for hosting this talk And to my friend voxel for this really cool setup and background So let's get started pandemic in plain text All right the purpose of this talk And I want to be really clear is to stop the use of insecure communications at hospitals By shining light on the use of insecure wireless communications that are accidentally leaking your health data and violating your privacy laws I'm not here to bash hospitals. I'm not here to bash the medical industry I just want to bring to light that there is this leak happening and it's been happening for 20 years and Right now in the middle of this pandemic I think it's really important that we pay attention to this and that we fix this problem And just to note that none of your health care prevent providers are really doing this intentionally This appears to be accidentally that they're leaking your information and they just don't know it And if you don't want to watch the rest of this talk, the TLDR is hey your COVID test results are being literally broadcast for mountains Yeah, so the story behind this is if you go back to November or December a lot of us we're looking at Twitter and watching this pandemic come across China and We we're really asking ourselves these questions like is this real is it's gonna come over here then it kind of came across the ocean and We got to ask these questions about you know Do we have enough beds and PPE and and any cries for help and are they gonna be shortages? and I just started having all these questions and I really was looking for data on this stuff and Like most of the people it's kind of hard to sift through all the incoming data that we get through the news and I just really wanted the hard data and you know, I wanted to know is it affected my community and if if I could see the data Then I would be able to answer these questions and I remembered That I think I knew an answer to these questions using RF and wireless and that was through Something called Pog Sack, which is pagers. I remember a couple of years ago We did a talk on hacker warehouse TV and not really a talk, but we did a show about how to Decode pager messages that are freely being broadcast in the air and when we did that we saw a lot of things That were medical related and I thought well Maybe it's a good time to revisit that and see what we can find and see if any of these questions could be answered with data Over the Pog Sack network All right, well just a little legal disclaimer for this talk. I'm not a lawyer, but I think the following is true Possessing a software to find radio. Yeah, that's totally legal ham radio Operators do that across the globe receiving 900 megahertz signals on those sdr's Yeah, of course, that's legal listening to audio on those signals just like voice or tones. Yep Nothing special there decoding the audio of those signals Well, that depends are they encrypted in this particular case for this talk? No, not even a little bit This is all plain text tones and we're just decoding them That is legal decrypting secure messages or anything that's encrypted that is not legal and in this particular case Nothing was decrypted Distributing or sharing patient information Obviously that is not legal don't distribute any personal information or any sensitive information that you may receive over these plain text broadcasts but for the Hospitals that are broadcasting the patient information from a mountaintop antenna Apparently that's perfectly legal. I don't know maybe that's just a hip of violation again. I'm not a lawyer, but let's continue Alright, is this a new vulnerability? The answer unfortunately is no. I'm not unfortunately dropping zero days here This has been around for quite some time. I think it was def con 5. This was brought up Back in 2016. There was also the holy pager artwork I believe it was in Chicago where it would intercept all Pog sag pager messages and it would forum them randomly to one of three pages on display and then it would print out a continuous roll of receipt paper Making a big pile of personal information that they automatically redacted. So that was pretty cool Then back in 2018. This was brought up again. It was kind of localized to five or six hospitals Did some digging into that case and it seemed that the response was that? Intercepting or decoding these tones was a sophisticated attack And I think you'll see at the end of this talk that that is not the case at all All right, where to begin In order to do this you have to get some gear and back in 1997. I would have agreed that it's a sophisticated attack But not today Back then you'd have to get a scanner You'd have to modify it with something from loft heavy industries like this Pog sag decoder from back in the day I think that thing was 60 bucks Then you would go over to this doctor who's radio phone site, which I used to frequent quite often when I was in a teenager and Then you would have to stuff all that back into the scanner and then you could decode these tones And so yes back in 1997. That was a sophisticated attack. However in 2020 You just have to buy a $20 SDR and you can get those from hacker warehouse and get them off Amazon off eBay It's really just too easy now you really just Plug in the SDR download some software and then you tune to the signal It's almost as easy as getting in your car and tuning in a frequency on your radio You pick one of these frequencies here. These have been around for 20 years. The pager networks really haven't changed And you tune into them and you're gonna hear some tones now the frequency used for this talk was 929.596 I Localized the signal. It's coming from Santiago Peak the antenna farm up there and it has a lot of coverage I was picking up hospitals from about a 70 mile Radius so a lot of stuff from Riverside Pomona Down San Diego area Irvine not so much from LA County But everything you see there in the circle was definitely within range of this tower And the way the towers work is they relay off of one another So a lot of times if you're not close to this tower you'll be close to another tower and And you can find a signal that way these these signals are very strong They're probably when you when you plug in the software and you tune to a station They are the strongest stations around okay, so as far as the signal goes It sounds a little something like this They said But it sounds like kind of like an old Modem tone, right? So that's what you're listening for so when you tune to that 929 frequency you're gonna hear a whole lot of that Okay, so the audio tone you just heard Basically is a little more advanced than like a DTF DTMF tones on a keypad. So like whenever you press one on Your telephone you get a combination of this 1209 Hertz and this 697 Hertz and and that's how the system knows that's a one similarly Frequency shift keying whenever you lock on to that 929 megahertz signal Those audio shifts you hear are creating ones and zeros in the bit stream And that's kind of in a nutshell how FSK works Remember I'm watering this down for kind of all audiences but that the the point is the tones will create the frequency shift keying which then creates data and a Windows program like PDW will decode that data and it'll just put it across your screen like this And so this is actually what you just heard decoded It's the it's a handered the standard def con drink all the booze hack all the things mantra So that's how this works It's really not encrypted. It's all plain text. It's just a little bit more advanced than DTMF tones on a telephone and You'll tune into the tones and you get the data on your screen. It's really that simple So now that you know how it works and how to decode a dual-core song. Let's shift back to Kind of the hospital research So I did a little digging here. There was this research about use of technology for patient care related communications the gist of that paper was that 80 percent of hospitals still use pagers and In that paper they actually believe that pagers are more secure than cell phones and You can check out this link and and read more about that but the quote that stood out to me was this one They send only numeric messages or basic tests messages says doctor so-and-so This way no confidential information can get in the wrong hands. That's could happen with the cell phone And I think that is the heart of this problem pagers are actually thought of as a Very good tool and a secure tool to use in hospitals when in fact They're not so if we kind of Know that then it kind of makes sense why all a hip of compliance is getting put into the network and Securing the network within the hospital and the pager usage is not really thought of as an open door, it's thought of more secure than that network and What I found was that the pager usage actually isn't so if we go back to that Quote of they send only numeric messages basic text messages and no confidential information can get in the wrong hands It's actually quite different. So Here we go This is a basic pager message from a hospital. It's leaking your personal information and It even includes COVID results This is one dissected. So I'll walk through this you have the pager number Followed by the message time. It was sent the message date Flex a which is a type of Pogsack related protocol Alpha which kind of defines the type of flex. There's different types It includes this automated system name, which I'll touch on in a bit It has the hospital name it then goes into a requested which this is a bed request Last name first name age gender Isolation protocol that kind of tells the PPE there's droplet, which is like a face mask. Sometimes it says full PPE sometimes it says face Different things there the origin unit sometimes it says doctor's name Sometimes it says a unit in this case. It was the emergency department or usually that's emergency something Sometimes it's a full doctor's name and then in the comments right there. It says COVID positive and or COVID negative So that is a basic pager message that is not supposed to have any of your personal information in it Because of COVID they have gotten quite bloated with personal information. It didn't used to be this big and That is the point of this discussion is this is what a simple text message looks like now and It has too much personal information in it and it has a lot of privacy violations in it as well So once I saw that I mean, what did I do? I? Decided just to let that decoder run. So I ran it for 52 days mid-March through August 1st 2020 Looking at COVID related results. They would come across the screen. It resulted in 52 files only 28 megabytes worth of data And Remember what I was looking for in the beginning. I was trying to figure out. Hey, is this pandemic real? I didn't know anybody that had it. I didn't know if it it was in our hospitals So I really just wanted to trust the data and see for myself Was really concerned about this hole. Do we have enough beds PPE and shortages? Wondered if there was data that would support that or give me a number Wanted to know if it's affecting my community and I wanted to know is Anybody out there doing this right and sending these messages securely and so I got answers to all of these really This is what a basic pager text message looks like and here's some of the information we got so hospital bed requests They include COVID results. You can see over here COVID positive COVID positive They came from a couple different systems. This one came from an XT system. This one over here is this RTM system at now So you can see here I've redacted All the information so I'm not distributing personal information here This is a generic Patricia. She's 84 year old female She has COVID positive and this one is 45 year old male Lazaro He has been diagnosed with COVID-19 Additional comments they even put in here. This is what is known COVID is known as is acute hypoxic respiratory failure. You see this pretty readily come across the stream You see in this fire runs, which I give you a little more data on Things that are happening then and now Outside the hospital this particular instance Someone was brought in because they smoked weed and drank some shots But they asked them about COVID and they were negative on the COVID questions So that comes across the stream. You get a lot of nurse to doctor communications going on over the pages You got ICU admissions You can find out details there. They're broadcasting. This person was intubated on three pressers They even questions on they want to discuss options with hydroxychloroquine and ribavirin And then they have phone numbers there, right? There there's a lot of questions going back and forth So and you also see these nurse to doctor communications regarding ventilator data So basically everything to talk about on the news is being broadcast Through these pager messages in plain text. There's a lot of this coming across the stream Over 52 days, there were 17,286 tones decoded that turned into these types of text messages Of those 1,852 were bed requests With that HIPAA information included that should not have been there. There were 2077 diagnoses Of those diagnoses 1,219 were COVID related that includes negatives and positives or even questions COVID questions I just put these on here for comparison. There were only 78 fracture related Surprisingly only 67 cancer related and 300 chest pain. So you see an up uptick in chest pains With COVID and so that was one of the filters also in the data average age of patients With the virus Was about 72 within that tower But like I said, there's towers across the united states everywhere that are broadcasting this so It'll vary from Place to place Also, I did get an answer to that final question. Is anyone doing it secure and I found that a few I think it was 11 percent of the messages actually were sent securely Obviously, there's a lot of attack vectors with this kind of information From embarrassment to identity theft to billing scams disrupting supply chains Misrouting patients that would be if you were spoofing communications. We are not doing that here We're just receiving these things out of the thin air But there's a lot of like drug interaction text messages where it says, hey, should they take this text me yes or no And that seems dangerous, especially over unencrypted communications Which leads just to life safety in general and that's why this practice of using pages in hospitals just really needs to stop So how does this happen? It appears that No one's doing this intentionally. It's part of a system That xt system Is there's a lot of these different patient management systems that hospitals use this one Looked like it came from teletracking xt, which they talk about IVRs Which are systems that help hospitals manage patients and even in here In the teletracking website they talk about you know details are sent to the employees pager Keep in mind. That's not their fault. This is just their software. You can implement these pager Communication systems properly with encryption like we saw back here See this one was secure But um, it's really up to the hospital and their service providers. It may not even be the hospital's fault. They may Contract it out to a telecommunication service provider and they're just using the wrong type of pager network rather than the secure one So also found out that these systems are tracking this exact same data and they're providing it back to the hospital kind of on an enterprise level so That the heart of the data is the pager data and then you can create these dashboards and so They're actually doing what I was trying to do But they're doing it within the hospital and you can see it's very valuable information for the hospitals But it just needs to be needs to stay within the hospital, right? Um, so what answers did I get? Um, yes, this is real. It's happening. I saw ems run confirmations the symptoms match Um, we can see most bed requests seem like bed levels were okay Didn't see a lot of messages where where people were Worried about that, but that was just my area. I'm sure that's a problem other places I was able to see in my community that the older population was more affected And I also was able to answer the question of is there a lot of security here And it was not only 11 of the messages Were actually secured and encrypted and in no way did I try to decrypt them at all That would have just been too hard when you have thousands of thousands of them that are not encrypted Um, so where do we go from here healthcare providers need to do this stuff? And I've been in the industry. So these are the questions that Some of these roles need to ask I won't go through all these but cio. He needs to allocate budget It needs to ask some questions auditors start auditing these pager networks, please Lawyers start asking questions reporters spread this information in this talk so we can have these conversations about healthcare system and patients you can ask your providers about their pager system security if you see your doctor wearing one Hospitals just need to listen to the security community. Please don't say this is a sophisticated attack because it's not at all It's super easy. We just need to upgrade the security in these systems And for the healthcare providers, they just need to keep up the good fight let it deal with this and Keep doing what you're doing because we're all thankful for everything that you do All right. Thank you. I think my time is up Thanks again everybody for listening if you want to hit me up on twitter You can reach me at waveguide. That's at w a v e g y d And we're on the discord link right here. I'll be doing q and a right now So talk to you soon and hopefully see you next year. Thanks