 Right. So with that out of the way, it is my pleasure to introduce Philip, who will be talking about pager systems. Now, many of you undoubtedly are on call in one way or another, but typically we take the easy way out and we use apps like pager duty or whatever other delivery mechanism. But Philip's actually gonna talk about these things, like actual physical pagers and the state of security in this ecosystem. So, please give a warm round of applause for Philip. Thanks for having me here. Well, it's really fun to have Secure introducing me. And, yeah. So tonight I'm gonna talk about cold brown in the air. So why cold brown? So cold brown is a medical linguals welcome by EMS and emergency room personnel to develop a patient who is incontinent of this. In simple words, someone should. Yep. So, why pagers? It's such an old technique. So why are we talking about pagers here? Because we want to make pagers great again. No. It's, well, actually, pagers are extensively used in the United States and Canada. To be short, it's North America. And it's used in Germany as well. It's mainly integrated with healthcare systems, the workflow system. And we have things like SMS to pager gateway and email to pager gateway that makes a systemic and systematic failure possible. And in this talk, I would like to deliver like less about the protocol because I think most of you know things about SDR. This is a CCC conference. So I shouldn't be more technical than you guys, but we can look more on the data. And there's legal disclaimer. So it might be illegal in some country to sniff and store the data. For example, the United States. It's okay to listen to the radio and try to decode something, but you cannot store it. So NSA had thought of a workaround. We just work on the metadata and things are all right. And the second thing is that in some countries, you cannot sniff and you cannot store data, which means I'm not sure what's the situation in Germany right now. If it's allowed to kind of sniff the radio, maybe, maybe not. Yeah. And in some countries, it's okay to listen to unencrypted data, but if you kind of decrypt encoded data, that's illegal. Okay, so in doubt consult your lawyer. So some of you might say, huh, it's 2016, so who in the hell is using this kind of art technique? Well, the thing is that in some places you want to avoid some interference like in the hospitals in the United States. They want to avoid interferences. So if you have money to buy some better equipment, I mean more modern equipment, they're always come with some magnetic shield that is compatible with 3G or LTE networks, but for some other equipment, there might be some interference. Or there might be some places like plans, chemical plans that signals are just weak. You cannot use your cell phone. Or there's some special places like government contractors, defense industry, military industry, where some devices with the recording or transmission capacity is strictly prohibited. So you need some alternations. And in Germany as well, you have something like city roof is still in use and you can still buy this kind of pager. So yeah, actually that's one of the pages I kind of listened to in Germany. I don't understand why the message is in English anyhow and yeah, you can just read it. So this is the agenda of today. I would first talk about a little bit about protocols and then how it is used in health sectors, hospitals, how it's used in industry sectors, and then government, and then we'll talk about how to spoof it. So pages, it's first invented in like in 1950s. You just pay like 12 bucks a month and you get a service of 20 miles of coverage. That's quite neat. But the pages wasn't hot until 1990s. But it has been there for only like 10 years and after 10 years, everyone uses a cell phone. So Motorola stops making new pages in 2001. But hey, it was once a symbol of cool. People have invented so many numerical expressions to say, hey, I love you, I miss you, goodbye, kiss, and go to hell. Well, it's good old time, right? So this is a PogSack protocol. It's mostly used in most countries all over the world, including Germany, and it's like a 512 or 1200 bit per second. And the most important thing is that the bandwidth is 9 kilohertz. So we can practically recognize this kind of signal in the waterfall that we will see later. And another main protocol is FLEX. FLEX is invented by Motorola. So it's a little bit faster and a little bit more efficient in bandwidth. And well, since we don't want to really build things from scratch and these protocols are kind of complicated, you can always use a utilities like GNU radio or RTL FM or multi-mode NG to decode and demodulate all these kind of signals. So we're using that as well. So these are the frequencies, but you don't really need to copy it. You can find it on Wikipedia. Okay, so this is our setup. With only 20 bucks or 20 euros, you can buy such a DVBT USB dongle, plug into your computer, run GNU radio, and everything's done. So easy. And if you are rich enough, you can buy some fancy stuff like this, HackRF1 and probably with a B210 or Blade RF. That's cool as well, but well, the 20 bucks thing is good enough. And once it's all connected, you can use GQRX. So I would like to thank the authors of GQRX and GNU radio and all smallcom guys all over there. I have met them in room 15 here. In CCC, so that's pretty cool. They have open source everything so you can just grab them, use it for free. And this signal here, this one is PogSag. And how do I know? Because you can see the bandwidth. It's nine kilohertz and you see the two points there. So you know it's like FSK. It's a frequency-shifting thing. So in doubt, check this CIGIDweeKey.com. It's pretty useful. And for flex signals, we just use this guy, this Clayton Smith has written a really cool piece of software called pagerrx.python. Just run it and it kind of sniffs multiple bands at the same time. And we have conducted our research for four months from February to June and we collected, collected, sorry, we observed 18 million alpha numerical messages. Yeah, so let's look at the data. So how the data are used? Actually, it is integrated in most hospitals in the United States, like in nurse or work for management, or between the communication, between the doctor and the pharmacy. And sometimes you see personal messages as well. So let's just look in the data. So every time when there's some event happened, someone called 911 and a message is transferred to some place, like you can read here. There's a type called EMS, so it's an emergency thing. Someone has a chest pain at the same time. Or you can have some advanced thing, like someone who is a 19-year-old female. He has a, there's some AED used. So she's being transferred to some place, being treated by Dr. Hu. And yeah, at some hospital, and her date of birth is MMDDYYY, and there's some pre-diagnosis before she arrives. So with this kind of information, they can better coordinate with the hospital and be prepared for surgery or a proper bed for the patient. So that kind of reduces the waiting time, increases patient satisfaction, sorry, sort of, yeah, yeah. If you see the medical treatments as a service, there can be a satisfaction, okay. And it improves efficiency in like admission, discharge, or you can make an appointment with your doctor for a in-house service or in-house treatment, things like that. And we can see something like a Navicare system and CuraSpan system. We just named these two, but it's not limited to the brand. For example, in Navicare, you can see like it's transporting on some patients whose medical reference number is such and such, from ED, from emergency department to some exam room, and then the patient is transferred to CPC, chest pain center. Then status is what, admitted to doctor who diagnosis is chest pain, things like that. So you might think, oh, it is all about personal data, my personal identifiable data. It's quite scary, but it's not limited to this kind of thing. For example, we have Inquirker. Inquirker is a little bit more cautious. It uses abbreviations, the first letters of the patient's names. That's good, but then it gives you a URL, like just visit this URL. Then you can see something, but actually they ask for an ID and a password, but they usually use one single ID and password in a whole hospital. So you might know something that you are not authorized to know, or like this, Episys. From this red arrow, you see the thing is a MRN, medical reference number. And among all the data we have seen, it's about like 7% from NaviCare and 7% from McKinsey and Aurex. So you can kind of guess the marketing share of all these workflow systems in the hospitals. But just be careful because the data might be biased. Some message can be sent like in a group call. In a group call, it can be sent once to a wildcard number, or it can be sent like 13 times to 13 different numbers. So in that kind of duplicate numbers, you get the biased data. And we didn't clean that because that's simply not necessary. So with this personal identifiable data, we got like email, medical terms, English names, syndromes, diagnosis, medicine on FDA drug list, phone numbers, especially phone numbers, because sometimes the patients want to have an in-house care. So they leave the number in the system. We might, no, we might not see that. Yeah. And we can make an interesting statistics on top medical terms that we have seen in the pages, like a flap, they're quite interested in your veins, or EKG, they're interested in the heart, or sepsis x-ray, things like that. But we see other messages like on how doctors communicate with the pharmacy, and they have kind of placed the order on what kind of medical medicine should be delivered to which room. So with this kind of data, we see a different picture. It's not about your heart or your vein, your, yeah, it's more about like a avatar or Tylenol. So it's about a painkiller and a burgodilator. And we see something. These are from the United Kingdom. It's about organ donors. So it's a donor number, which number? And the donor's hospital name, donor's name. And like this great donor is a female, 49 years old, it's a donation after cardiac death. And the offer is to a patient who? Actually, this makes a very serious ethic issues. Because usually we don't want to let the one who gets this, sorry, this human organ know who the donor is because that might be something like you're trading an organ or things like that. So it can be very serious. And we see something like home care. Okay, this is the example of home care. So it's like, please call patient at home. He saw her home. The phone number is like this. And for some syndrome, he or she wants to take a steroid, but not a prednisolone. Or we see someone's dad. And actually we have checked the local newspaper and he's dead. Yep. So one of the most serious thing we see is the color ID system. The color ID system is that whenever you make a phone call, it looks up in an internal phone book and shows who's calling, who's calling whom, who with a name and a number. So if you kind of observe these pages for quite a long time, you can compose your own yellow pages. And that's my thing's words. And we will see that in a minute. So, industrial. We see many industries using this SMS to pager gateway, maybe because they want to receive some alerts from SMS, but then they found that the SMS might not be delivered to their cell phones. So they use this kind of gateway to transfer it to the pages that might be used in the plans. And hey, for example, you see this from SMS thing, that number is a callee number. And you have the missed call from someone, that's a caller number. So here you can make a correlation between caller and callee. And you can make a phone book too. And the example here, if we got the same number, like number one, two, three, four, five, six are exactly the same number. And the message is so brief, it's just call me. And you see they have some tight relationship. And Codexpress have this speech to text summary that just like a Google service, it transcribes the voice message to a text and send it to your SMS. So in this case, it's sent to the pages. So it's visible if someone is listening to the radio. And we have seen the examples of using the email to page gateway like who's calling, who's calling will send email if there's some missed call. And we have a web control, it's a building automation system from automatic logic. And Metasys is a building automation system for Johnson controls. And here we see something interesting. Like for web control, it's just okay, we don't really care if your chiller is running or not. But for Metasys, they have something called FQR. FQR is a fully qualified references, which means, and you see this is our AHU and this code means aware in what facility this thing is installed. So across the United States, you can pinpoint which this code is denoted to. You can find the proper place. And sometimes they have it written down in the email address. So these are all redacted, but you see some chemical manufacturers, some defense contractors, some universities, some medical center. You can name them, they're all big brands. So I don't want to be sued. So I mask it. Yep. Okay. And IT industry is using this kind of techniques as well. So you get a WhatsApp code, you get a Naju's net bios name, SQL queries, PHP errors. Yeah. Like I've been doing pentesting for some time and this kind of passive intelligence is really valuable to me. So thank you for the information. And sometimes the passcode is here. Yeah, it's changed the password. That's not a real passcode, but I made it, but yeah, the message is real. And you have, sometimes you have the two-factor authentication and the code is here. Like your passcode is XX0923. So what's our look web app is for? And these messages are from McAfee introduced. Yeah. I'm not saying against McAfee, but actually, this is a list of the CVE that this next generation intrusion prevention system has found. And yeah. Well, they're doing a good job at least they're blocking this kind of CVE. But what if this kind of CVE is happening in a national lab? Kind of serious? And we have things from power plants. Like the thing is that the turbine that stops working is was actually in the nuclear plant. So that's something serious. And what if the nuclear plants lost the AC power? It uses like on batteries or on generators, right? So this kind of incidents are reported incidents. So if you are a journalist, you might be interested in cross check if they have filed this incident in a nuclear control agency, nuclear agency. So yeah, what if they haven't fired them? And we have found things in chemical plants. I have to say sorry that I don't know anything about chemical industry. So I cannot extract useful information like I did in IT. But you see some stack dump of some PLC. Yep. So if you are an expert here, that might be useful to you. And from the messages, we can find where exactly the chemical plant is. You see this river and this Google satellite map. Yep. I cannot tell you where it is, but you can try to find it. Yep. Or yeah, these are just not very... And this is not meaningful to me. There's some jump open, jump down. But if you're working in the chemical industry, maybe you want to know some secret of your competitor. And it shows how their daily operation is like. And the last is heating ventilation and air conditioning system. It's okay, it's just a boiler and chiller and air condition on and off. It's not very a big deal. But what about a public sector? So public sector, that's government and his partners. So we have seen this. You guys go ahead, I'm eating here some name. Well, it's a personal message, it's not a big deal. If it were not from a government agency, yeah. Well, if that's just between me and my colleague, that's no big deal. But hey, I'm living just in the minute to live me to somewhere. If you think of Kevin Metnick, someone who's really good at doing social engineering, and he got this kind of useful information, hey, he can do a lot of things. Yep. And... So here comes, here kicks in the color ID system again. Like someone from some national organization, he got a missed call from some people and you can do a passive recognition. Like this one, this one recon is... I should say she must be a secretary of some very big guy. She's saying, okay, JW Marriott is only 300 bucks a night, you want to go for it. So she's sending a lot of messages out, and we can see that. And what if you want to impersonate her and send a message? There's something in design of this paging system. It's that you cannot authenticate who the sender is. It's by design. So if you kind of impersonate this secretary and send some message to the big guy, he would believe it's you. And there's no way to make a two-way authentication, like SSL or TLS. Okay, and this is a voicemail summary, the interesting thing. So actually people are not aware that what they have said has been transcribed into a text and then sent via pages. So it's like, oh, he just missed your call, you want to tell me what's up, give me a call back. And you can see more intimate messages if you're really keen to know everything. Yeah, and this is a recon. We can know who's calling whom, who's who's mother, who's who's sister, who's whose lover or girlfriend, whose husband is, and their family phone number. So it's something, something very, very serious when it goes to the government. And we can see the parcels. Well, actually these are the tracking numbers of some parcels sent by some national defense contractors. We see the parcels going out from a given place and we don't know who they are, we don't want to know. Yeah, so what if you're a Russian spy? No, if you're a Russian spy, you might know many things, but if you are a lame spy, this might help you. Yeah, okay, so it's about, we have to prove we can actually send a page to this kind of tiny thing we bought on eBay. Yeah, so we bought two devices on eBay and we know the cap code, we know the frequency they're working on. And again, thanks GNU Radio guys, we use this GRM mix a lot and with a really, really simple diagram, we can send the pages like this. Hey, heck the planet, yay. And we can think of the attack scenarios, like sending pages to pharmacy to give you a wrong medicine and when you took it, you got some problem. We can try to move the patients between the facilities, move in and out and in and out and in and out until you're really bored. Yeah, and we can probably declare an emergency in some facility so people evacuate and that might cause some damage, real damage, yep. Or we can impersonate someone, we can prevent to be a contractor because I didn't show you, but there's some real name, real phone number and contract number. So with contract number you can pretend to be someone. Yeah, so here's our conclusion. Just stop using it. Or if you really want to use it because you cannot avoid this kind of system, encrypt everything, just like you do in HTTP, you do everything in HTTPS and that's better. And if you really have to and you cannot encrypt everything, just don't leak personal information. You can use like the first letter of the names, just don't spell the whole name. We have, actually we have seen some really good system trying to avoid everything and we see very good examples in Germany. Like German people are quite cautious about this kind of thing and during these two days, at least these two days, I didn't see any real name, yeah. And with small leaks that doesn't do, you think that doesn't do any harm, we can make a database and make it a real harm. You can download our white papers from this URL or you can just search leaking beeps from Google. You can get everything from us and you can download the slides. And if you have something to tell us, if you want to discuss about how serious things could be, just find us on SJHild and Melski on Twitter. So I think that's all. Thank you. Thank you very much. We have some time for questions and answers. If you would like to leave the room, that's okay, but please take some trash out with you and if you leave in the front, please duck under the camera. So if you have any questions, please line up at the microphones, which we have here. In the meantime, are there any questions from the internet? Seems like a no. So, come on guys, don't be shy. There's a question right here. Yes. Is there any commercially available encrypted paging system? Yes, there is. Actually, Spokes has this T5 system that you can buy. I haven't used that, so I cannot say it's good or not, but yes, there is. Just to make sure I understand, I remember this page at the time and there the calls were receivable country-wide. Is this still so, are these hospital stuff send it locally within the hospital or are they send it country-wide? Oh, okay. Thank you for the question. Because actually they wanted to limit the signal strains within these buildings, but in fact, they failed to do that. So, you can still get this kind of message just like 10 or 20 miles away from the hospital, so yeah. All right, question in the back. Yes. Yeah, I also remember the time of the pages in the 90s and from one day to the other, they were gone and calls were closed, it was really, really incredible. I reckon that this was due to SMS. We had this GSM then coming up, so I have the impression that at that time in Europe, SMS took over and as far as I know, SMS is not that widespread in the US. So, is there here in Europe less page usage or is there still a lot of pages used here in Europe, especially in Germany? That depends on the country because Europe is quite complicated. Oh, oh, oh, oh, oh, oh, oh. Well, I can tell you that the hospitals are not using paging systems in Germany, but the emergency sectors, sometimes the police and the fire department are still using them. So, if you tune up to the right frequency, you can get something, but not like this. Yeah, so it's not so scary. And someone told me that in Belgium, there are still using it quite a lot, but I haven't been there, so I cannot tell you. And additional question would be, you said Motorola was stopping production 2001, was that correct? Yeah. But I understand that still these pages are produced and rolled out in new installations, is this correct? Yes. I'm not sure who made these new pages. Yeah. All right, any other questions? Now is your chance, yes, please. And on the encryption, you spoke about there are encrypted systems, but is there anything to retrofit? I mean, nobody would buy another 200 new pages. Okay, so I have encrypted ones. And you said encrypt the things, but how could I encrypt if I have, like, I'm hospital with my 2,000 people and I have to retrofit a solution? I'm repeating for the stream, is there any encryption system that can be retrofitted? Not as I know. Yeah. So the thing is, you're telling us why they are not replacing this kind of system for a safer system. Yeah, nobody wants to invest for another 200 new pages with these encryption systems. But well, I'm not sure if there are some pressure from the society, maybe they will make a change. All right, do we have any other questions? If not, we're gonna close. So thank you for attending. Please, when you leave, take out the trash and give another warm round of applause. Perfect.