Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

NHS pagers are leaking medical data

An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time of medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities.

The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist’s computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig’s computer display.

Daley Borda, a security researcher and bug bounty hunter, was at home in Florida when he stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display.

“You can see details of calls coming in — their name, address, and injury,” he told TechCrunch.

TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services.

One message said a 98-year-old man had fallen at his home address. A few moments later, another message said 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents, medical emergencies, often including their home addresses.

benz app 2 2

Several screenshots of the amateur radio decoding software, revealing unencrypted pager messages from nearby NHS trusts. (Image: TechCrunch)

Borda spends much of his time scouring the internet for things that shouldn’t be online. He looks for exposed databases and devices and, like most other security researchers, privately reports them to their owners. If he’s lucky, the owner takes action. Better yet, they pay out a bug bounty for his efforts.

But he could not figure out who the rig belonged to. TechCrunch contacted the hobbyist’s internet provider to warn of the data exposure.

“Last night we contacted the customer to make them aware that there was a live webcam broadcasting on the open web from their household,” said a spokesperson from the internet provider. “The customer was unaware of the nature of the information being shown so has said that they will stop the feed on that particular camera.”

The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust.

“With some cheap, relatively basic, software it is possible for hobbyists to access these frequencies and decode the information being sent, which appears is what has occurred here,” the spokesperson said.

Old but reliable

Pagers — or beepers — may be a relic of the past, but remain a fixture in U.K. hospitals.

These traditionally one-way communication devices allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network. But pagers still offer benefits where newer technologies, like cell phones, fall down. Because they work a low frequency, pager radio waves are able to travel further and deeper inside large buildings — particularly hospitals — which have thickened walls to protect others from X-rays and other radiation. Pagers also work across long distances, including in cell service dead-spots.

But few were thinking about message security when pager use was at its peak.

“They aren’t secure,” Andy Keck, an electronics and amateur radio hobbyist, told TechCrunch. Keck said messages sent over the pager network are encoded when they are converted into a burst of radio waves and broadcast over the air.

“But people don’t necessarily understand the difference between encryption and encoding,” he said.

Because the two widely used pager protocols — POCSAG and FLEX — are not encrypted, it’s easy to understand what messages are broadcast over the airwaves using free and open-source software.

For years one of the largest barriers to intercepting and decoding pager messages — or any other radio waves — was that hobbyists needed custom, often expensive hardware. But with the advent of software-defined radios, most hobbyists can get by with a $20 plug-in dongle and an antenna.

“It’s just enter the command to start the application, sit back, and start decoding in real time on the screen,” he said.

130,000 NHS pagers

Although the number of pagers has dropped to near-zero from their height in the 1980s, pagers still carry a considerable amount of information every day.

Pager messages can travel over a large distance, said Keck, depending on how high the transmitter is located. Most major cities are covered with some pager service. Given the geography of the U.K., amateur radio hobbyists can often pick up pager messages from different sources.

The NHS still uses about 130,000 pagers, according to the U.K. government’s latest count, or about 10 percent of the world’s current pagers in use. But the NHS has been told to stop using pagers altogether by 2021.

But it’s not clear how many trusts are exposing medical information — if at all.  According to NHS spokesperson Oliver Michelson, “each NHS organization is responsible for its own IT equipment and security.”

GettyImages 128243077

Pagers receive encoded, but not encrypted messages. (Image: Getty Images)

One NHS trust we spoke to said they had around 1,600 pagers and are managed by the trust. (We are not naming the trust, as it would expose their communications.) When asked if the trust was aware that pager messages are not encrypted and can be intercepted by amateur radio hobbyists, the spokesperson responded: “Yes.”

Another trust we spoke to said they were “aware” that the handful of pagers it operates do not encrypt their messages. The trust said their pagers were managed by a third-party.

PageOne, the last remaining pager network in the U.K., says in a brochure that its pager service can deliver “real-time messaging cost effectively and securely to their staff.”

But a spokesperson told TechCrunch: “PageOne ensures customers are aware of the ability to intercept messages in its terms and conditions” and that encrypted services “are available if required.”

The company said the majority of NHS pagers are operated on private pager networks operated by the trusts themselves.

‘Trivially interceptable’

Amateur radio hobbyists know all too well the risks posed by unencrypted pagers.

Over the years there have been numerous headlines of hobbyists picking up signals from nearby hospitals, including patients’ names and medical information. Some have even turned eavesdropping on hospital pagers into an art project.

Last month, hospitals in Vancouver were found broadcasting unencrypted patient medical data across the city.

Sarah Jamie Lewis, executive director at Open Privacy, who first revealed the issue, said the hospital pager messages were “trivially interceptable” by anyone nearby.

“It tends to be pretty common knowledge in the amateur radio community that these kind of broadcasts are going on but it’s only recently that we started seeing a culture of disclosure,” said Lewis.

In the U.K., it’s legal for amateur radio hobbyists to scan the airwaves but unlawful to disclose the contents of messages. That’s put some security-focused hobbyists who disclose exposed sensitive messages in a tough legal spot.

“You get this horrible situation where not disclosing is bad, but people have a right to know that their health data is being breached,” said Lewis.

But the penalties could be far steeper for organizations that expose sensitive health data. Exposing personally identifiable and health information violates GDPR, the Europe-wide data protection laws that came into force last year. Organizations can be fined heavily for breaching the rules.

With more than a year on the clock before the NHS pager ban comes into effect, it’s not a problem that can be easily fixed.

The obvious solution would be not to send sensitive health or medical data over pager messages. Clearly, as seen by the amateur hobbyist’s radio rig, that message isn’t getting through.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...