C3Subtitles: 33c3: Code BROWN in the Air
back

Code BROWN in the Air

A systemic update of sensitive information that you sniff from pagers

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:37:07
Language
English
Abstract
The talk is about the paging system, an old technology in the 90's, used in healthcare, ICS and government, a systematic review of security impacts that it brought to us in the age of SDR, covering the United States, Canada, England and Japan. By sniffing known pager frequencies in the general vicinity of hospitals, factories and public facilities with a $20 DVB-T, we discovered that not only is pager technology alive and kicking, but much of the traffic is not encrypted, resulting in violation of privacy laws and more importantly, leaks of sensitive information. The talk is not about the protocol nor the hardware device.

<p>
Pager was once very popular in the 90's. It did not disappear from the world as cellular technology
phased in, but found a niche market in hospitals, industry control systems, public services and
defense industries where low transmitting power or uni-directional transmission are mandatory. Just like
other old technologies, systematic risk can emerge as new technology, for example SDR, becomes affordable.
<p>
It is well known that one can decode POCSAG and FLEX messages with SDR as early as in 2013. After four
months of observation, prudent metadata collection and data analysis, however, the researchers believe that
the extensive use of email-to-pager and SMS-to-pager gateways, along with the unencrypted nature of paging
system, makes it a huge security impact to the users and companies. Workflow software integrated with pagers
can cause a huge leak of personal information. We can fix it only after people are fully aware of the status quo.
<p>
The talk is a summary of data analysis and a demonstration of how far passive intelligence using pagers can go,
scenarios including,
<ul>
<li>Workflow systems in hospitals
<li>Patient tracking
<li>Pharmacy and prescription
<li>Nuclear plants
<li>Power stations
<li>ICS and HVAC in chemical and semiconductor companies
<li>Automation and intelligence in defense sector
<li>SNMP and system monitoring
<li>Interpersonal relationship
</ul>
If time permits, the researchers will also update the status of paging system used in several European countries.

Talk ID
8042
Event:
33c3
Day
2
Room
Saal 6
Start
11 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
miaoski