Snooping Private Hospital Records for $20

big airquotes around the word private.

03-12-2018 - 7 minutes, 39 seconds -
hacking sdr radio hospital rtl-sdr cocaine pocsag records

So this is going to be a fun post.

I haven't said anything on here about my little hobby of SDR's, so I'll explain what it is, SDR stands for Software Defined Radio (basically a computer programmable radio), this has been popularised by the RTL-SDR, which allows you to listen from around 22mhz up to 1700mhz of the radio spectrum. My current SDR is some dodgy Chinese one I got from eBay, and a slightly better than the stock antenna I got from https://www.rtl-sdr.com. Normally these RTL-SDR's aren't used as a SDR, they're just a TV tuner for the computer.
I've been messing around with SDR's for the last year or so, but only really on the websdr sites, and only got really into the physical SDR stuff more recently.

So turns out my nearby hospital uses pagers for communicating to ambulances.
The pagers use a standard called POCSAG (Post Office Code Standardization Advisory Group) made by the British Post Office, which supplied all telecommunication networks at the time. The standard allows for ascii communication over the radio, these signals are extremely easy to detect and read from an SDR setup.

This is where it gets a little scary, (and morally grey) where they post every single ambulance request in clear text, over a radio frequency that can be picked up by a $26 radio device that takes about 5 minutes to set up.

Ambulance request data

POCSAG512: Address: 164469 Function: 0 Alpha: @@E13578357533 SIG2 BGDO3467 REQ0420 DSP421 LOC 69 ACTUALLY ST IMAGINARY SUBURB /DATA-PYRAMID RD //GOES HERE ST FWWA NW 1234 K1 CC: 2E2 - FOOT PAIN:NOT ALERT Prob TOE BUMPED BROKEN Pat: 1 Age:28 Years Gen:M

A lot of this looks like a bunch of random numbers, but let's break it down. Italicised are best guesses, bold are confirmed, normal text is common sense.

  • POCSAG512 - This shows the bitrate and type of encoding (pocsag, 512bits/s)
  • Address - Basically who the message is intended for.
  • Function - Used with the Address to generate something called 'capcodes' which says who the message is for.
  • Alpha - Unknown, but the way it's formatting, likely the actual message, with the above being 'headers' (Alphanumeric message)

So we've decoded the headers, sort of, the actual standard of messaging can differ, shown below is the most common for hospitals and ambulances.

  • @@E13... - Unknown, likely coded information, possible case number.
  • SIG2 - Station, transmitter, or hospital
  • REQ0420 - Time requested, either by the 000 calls or by the hospital system.
  • DSP421 - The time the ambulance has been dispatched or will be dispatched.
  • LOC - Location (two addresses are listed here, one with a street number and one without, no idea why)
  • CC - Unknown. Possibly carbon copy
  • A BIG F.. - Symptoms.
  • Prob - Problem with Patient, likely diagnosis.
  • Pat - Unknown, possibly the number of patients.
  • Age - Patient's Age. (In years :p)
  • Gen - Patient's Gender

So, putting this together, this one report tells us that (at least) before 4:20am, a 28-year-old male, at 69 Actually Street, Imaginary suburb has called the ambulance because of foot pain, the likely cause of foot pain is a broken toe. The ambulance was dispatched at 4:21am.

That's a lot of information. like, A LOT of information. I've completely fabricated all the details of this example, and all unknown information is random, but this amount of data is a massive privacy problem.

During my logging, I received around 535 Requests, with some duplicates sent to multiple Addresses.
My logging was over the course of 11:30pm to 6pm the following day.

Keypads and Idiot doctors

So, enough with all the automated pager calls to ambulances, let's focus on something a little more personal.

Not only are these pagers used for talking to ambulances, but they are also used for talking between staff of a hospital. I think this is a nice example.

CRSK - ALL GOOD TO HEAD HOME AFTER YOU GRAB YOUR COFFEE GUYS - THANKS FOR COVERING - DM :) Whoever DM is, they're happy that they had someone to cover for them. This seems alright until you realise that these doctors are led to believe that their custom system is secure, so they transmit slightly more interesting stuff.

MAS: SAFETY - UNIT 2 [NAME REDACTED] CAUTION - PREVIOUS DEALINGS AT THIS ADDRESS INVOLVING A FEMALE KNOWN AS [NAME REDACTED] WHO HAS HISTORY OF VIOLENCE ETC TOWARDS AV AND/OR OTHER RESPONDERS. PLEASE TRY TO ASCERTAIN IF THIS PERSON IS PRESENT OR INVOLVED IN THE AV CALL AND ASCERTAIN IF THERE IS ANY INDICATION OF A CRIME BREACH OF THE PEACE OR ANY THREAT TO AV STAFF WHICH REQUIRES POLICE ATTENDANCE AND THEN UPDATE THE CAD EVENT BEFORE FORWARDING TO POLICE. QRT(Part 1 of 2)

and a nice bloke called REDACTED.

G'DAY, POLICE ARE ASKING IF THE BIKE CAME FROM THE ROAD INTO THE HOUSE OR IF IT WAS RIDING AROUND THE HOUSE? CHEERS, [REDACTED] .

ON THE SECCOND DAY OF XMAS THERE WAS ANOTHER CRAZY OPTIMA MOVE, JUMP UP ON AIR ON CH [CHANNEL REDACTED] WITH A HO HO AND PLEASE MOVE TO [LOCATION REDACTED] FOR COVER AND YOUR ECHO IF YOUR IN YOUR WINDOW. HAVE A SAFE DRIVE CHEERS [NAME REDACTED]

This isn't too bad, just warnings to first responders. At least they're feeling the Christmas spirit :)

3467 KEY LOC ATTACHED TO LOWER RAIL OF BALLUSTRADE AT FRONT DOOR BEHIND POT PLANT

Okay now it's a little scarier, they're saying, hey the keys for whatever property is here. Further investigation could determine the address of said key, and well. Yeah.

KEYLOCK LOCATED AT FRONT DOOR CODE 6365 (actual code changed for insanely obvious reasons) This is a keylock for a hospital. They're broadcast fairly often, one assumption is that it's the constantly changing lock for the room that stores all the cool chemicals and medicines used in a hospital.

Either that or it's someone's keypad pin for their home. both options are equally terrifying.

Worst Case Scenario

While I've been logging all this, I've been thinking about what someone who wasn't a nice upstanding citizen could do with this information.

I can't really find a better way to have this other than a dot point.

  • Rob someone's house while they are at the hospital
    • Additionally being able to see when 90+ year olds are taken to the hospital.
  • Collect this data long term and sell it in bulk to the hackers the russians any number of insurance companies
  • Blackmail patients, who had something they wouldn't really like to have announced (cocaine based suicide attempt, police charges)
  • Break into places that have had their key's location broadcast for everyone in the state to hear.
  • Break into the hospitals locked medicine room.
  • Break into places that have had their pins for their locks broadcast.
  • A tool for abusing people who have had embarassing medical incidents.

Don't worry, the law protects our medical data?

Thankfully it's illegal to use any of this data for any purpose, but not really illegal to listen in. I mean though, criminals don't have much of a record for following the rules.

The fun part is, they tried to set this up under an encrypted system, as shown in this ABC article

This was in 2014, and they were not likely to set up encryption, as our government believes it's more important to spend money elsewhere, instead of keeping our own private medical data private.

Making a Law saying that it's illegal to use for any purpose isn't good enough when they're effectively shouting everyone's medical data on a crowded train, and then punishing anyone who just happens to hear them.

How we set it up, and how you can too!

This is the part that scares me to write, but the only way to get anyone really to notice is for more people to see first hand what the hell is happening.

You'll need:

  • RTL-SDR ( I recommend the $47.32 RTL-SDR Blog Set, but the $27 one should work just as well.)
  • About 5 minutes set up time
  • poor moral judgment
  • Linux, I used Ubuntu because that's what I use.

All you need to do is hook up the SDR to your PC, and install gqrx, and multimon-ng. Then look up your local POCSAG frequency (check the signal identification wiki page!) Run gqrx, click the 'UDP' button and go to the correct frequency, tune to Narrow FM and then run multimon-ng with:

nc -l -u 7355 | sox -t raw -esigned-integer -b16 -r 48000 - -esigned-integer -b16 -r 22050 -t raw - | ./multimon-ng -t raw -a SCOPE -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha -

You should see a nice window with a wave graph of the audio and when you see the pocsag signal it should start decoding. You'll end up with a line in your terminal with what was sent.

This is just a really quick 'guide' showing how I did it for my system, so please do your own research, and definitely make sure you're clear on the legality of doing this in your area. If you get stuck with my poor attempt at a guide, there are youtube videos and better guides you can follow.