33C3: Code BROWN in the Air
Download as PPTX, PDF1 like278 views
This document discusses the use of pagers in various sectors and the potential security issues with pager communications. It begins with an introduction to pager protocols like POCSAG and FLEX. It then analyzes sniffed pager data from the healthcare, industrial, and public sectors. It finds instances of protected health information, prescription data, and facility alarm messages. The document warns that spoofing pages could allow impersonating users or moving patients without consent. It concludes pager communications may need encryption to prevent privacy leaks and potential spoofing attacks.
![Using Email to Pager Gateway (1)
•WhosCalling : Email for missed calls
•WebCTRL®: BAS from Automated Logic
Subject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller
BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM)
•METASYS®: BAS from Johnson Controls
MSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC
» FQR fully qualified references
36](https://image.slidesharecdn.com/codebrown-20161228-171111034215/85/33C3-Code-BROWN-in-the-Air-36-320.jpg)
![Power Plants
From [NAME AND COMPANY REDACTED].com Sub:[PLACE REDACTED]
Critical Path Update Msg:During U2 Turbine Roll, a steam leak was identified
on the *-****-*** valve (SV1 Vent Isolation Valve). Steam leak cannot be
isolated ...
From: [EMAIL REDACTED]- Due to storm, we lost the steam plant
momentarily, there are downed trees and lines are down. Generators are
running for bldgs. that lost power.
I [PHONE NUMBER REDACTED] Local IA [COMPANY NAME REDACTED]
ENVIRONMENTAL [LOCATION REDACTED]/IA [DATETIME] AC POWER
FAIL DUE TO SYSTEMS UPGRADE. SITE ON BATTERIES. PLANT
VOLTAGE 48.18V
41](https://image.slidesharecdn.com/codebrown-20161228-171111034215/85/33C3-Code-BROWN-in-the-Air-41-320.jpg)
![Chemical Companies (1)
VA0095 - ***** A61 (8D05F,1) 6SDA0 00410668 00410670 0045D39A
0044D50C [.S/W] SN:546793 ST:ER LC:1 03/10/16 14:17:07 [15]
VA0095 - ***** A61 (8D05F,1) 8SDXX stack dump ends [.S/W] SN:546917
ST:ER LC:1 03/10/16 14:17:07 [79]
MAKE UP AIR UNIT 1 HI ALARM *****/MUA1/DATEMP Crit1 10.07 Deg C
RTC CLEANROOM ALARM *****/CLEAN-RM/FL-LWLVL Crit1
42](https://image.slidesharecdn.com/codebrown-20161228-171111034215/85/33C3-Code-BROWN-in-the-Air-42-320.jpg)
![Chemical Companies (2)
F***_***FAB1-02, Measuring Bath Level Sensor Trouble
F***_***FAB1-02, Mixing Tank B Mixing Fail
FAB1_***HOD-01, Drum A Empty
FAB1_***HOD-01, Unit Door Open (Drum Zone
FAB1_***BAD-01, Day Tank Level Low Alarm
FAB1_***BAD-01, Distribution Outlet Pressure High - PT-30
FAB1_F1-********-***-***, Unit End Point Pressure High
***-Monitoring-***relay: [DATETIME] (RTN) FAB2 Acid Scrubber 1E PH has exceeded
Low Warning Alarm. [ AT_******_AVG (5.128) < 7.25 for 60 sec ] <TopView is licensed
to [COMPANY] - System 1>
43
TopView® is an alarm management and alarm notification system developed by Exele Information Systems.](https://image.slidesharecdn.com/codebrown-20161228-171111034215/85/33C3-Code-BROWN-in-the-Air-43-320.jpg)
![From: WebCTRL@***.com Subject: **** AHU-1 (High Bay) - High Space Particle Count
(Level 2): Alarm – [DATETIME]: The space Particle Count is too high: West: 72
cnts/SCF / East: 15253 cnts/SCF (!PC_HI2)
From: tridium@***.com Subject: Alarm From **_Boiler_2_Supply_Temp - State: Normal
From:MetasysNotification@***.org Subj:Bacnet Alarm [DATETIME] SEWAGE-HIGH-
WATER-A Fault 70.Value Normal .Item Description Sewage Ejection Pump High Alarm
HVAC
44](https://image.slidesharecdn.com/codebrown-20161228-171111034215/85/33C3-Code-BROWN-in-the-Air-44-320.jpg)
33C3: Code BROWN in the Air
- 1. Code BROWN in the Air 33C3 Philippe Lin @miaoski Stephen Hilt @sjhilt
- 2. Code BROWN Medical lingo spoken by EMS and emergency room personnel to denote a patient who is incontinent of feces. (Urban Dictionary) 2
- 3. Why Pagers? •Integrated with healthcare workflow •SMS-to-Pager •Email-to-Pager 3
- 4. Legal Disclaimer It might be illegal to • Sniff and store the data • Sniff but not store the data • Decrypt Hint: NSA works with metadata. It IS illegal to Spoof. 4
- 5. Huh? It’s already 2016 •To avoid interference •Places with weak cellular signal •Physical security standard for SCIF (Sensitive Compartmented Information Facilities) 5 PHS J-88
- 6. In Germany as well POCSAG1200: Address: 189xxxx Function: 3 Alpha: 5:p now! Erectile dysfunction is not a thing to discuss with Tom, Dick, and Har 6 CityRuf in Germany. Picture from https://de.wikipedia.org/wiki/E*Cityruf
- 7. Agenda •Introduction to pagers & protocols •Healthcare sector •Industrial sector •Public sector and partners •Spoof ? 7
- 9. History of Pagers •Launched in 1950’s in Hospitals in NYC –$12 a month for 25 miles of coverage •1962 Bell System: radio paging system at the Seattle World’s Fair •2001 Motorola stopped making new pagers. •Multiple Protocols in use –POCSAG –FLEX –ReFlex, Golay, Inmarsat, Iridium, etc. 9 Source: Wikipedia
- 10. 10 Pagers Once a Symbol of Cool In TAIWAN 520 = I love you 530 = I miss you 000 = Kisses 881 = Bye 7788250 = you f* moron 744 = Go to hell In USA 143 = I love you 607 = I miss you 406 = Hugs and kisses 911 = Call me now 601 = Happy B-Day 1134209 = Go to hell
- 11. Protocol - POCSAG •Post Office Code Standardization Advisory Group –512, 1200 and 2400 bps –Bandwidth 9 kHz, FSK 11 Source: http://www.raveon.com/pd les/AN142(POCSAG).pdf. 32-bit FSC
- 12. Protocol - FLEX 12 • By Motorola • 1600, 3200 or 6400 bps • Bandwidth 5 kHz, FSK or 4FSK • Time syncs instead of always listening for a preamble to save battery • 128 Frames in 4 minute time cycle, 15 cycles per hour
- 13. Frequencies 13 •Primary focused areas for our research Country Frequency (MHz) Protocol USA 928.964, 929.015, 929.359, 929.562, 929.585, 929.612, 929.630, 929.663, 929.683, 929.785, 929.887, 930.263, 930.762, 930.788, 931.012, 931.038, 931.063, 931.113, 931.463 FLEX Canada 929.212, 931.612 FLEX Japan 282.0125, 283.0850, 283.7625, 283.8625 POCSAG
- 14. Setup to Sniff Pages •POCSAG and FLEX •All can be sniffed with a DVB-T Dongle •~ $20 at Hak5, Amazon, etc. 14
- 15. Setup to Sniff Pages 15
- 16. GQRX •Identify the protocols (GQRX, SDR#) 16 POCSAG FSK 9 kHz
- 17. pager_rx.py •GNU Radio Python script that sniffs FLEX protocol •Multiple frequencies at the same time 17 https://github.com/argilo/sdr-examples
- 18. Breakdown of Data Data Type Count Percentage Alphanumeric 18,291,876 34 Tone 8,573,736 16 Numeric 7,715,586 14 SPN* 5,354,497 10 Secured 5,338,516 10 NNM* 4,132,483 8 Unknown 3,044,570 6 Binary 1,868,499 3 18 * We don’t know what they are. •Research period: Feb – Jun, ‘16
- 19. Healthcare 19
- 20. How are Pagers Used •Nurse/Workflow Management •Pharmacy •General Communications 20
- 21. Nurse/Workflow Management • Self-scheduling and schedule at discharge • 911 Transfer Preparation before patient’s arrival 21
- 22. Nurse/Workflow Management • Self-scheduling and schedule at discharge • 911 Transfer Preparation before patient’s arrival • Reduced wait time • Improved efficiency in admission, discharge, transfer, and housekeeping • Personalized information, so hospital workers only receive relevant messages • Reduced cost while increasing patients’ satisfaction 22
- 23. Nurse/Workflow Management • NaviCare® • Curaspan™ 23
- 24. Nurse/Workflow Management • InQuicker • EpicSys 24
- 25. Nurse/Workflow Management 25 Email relay 787,008 69% NaviCare 85,320 7% McKesson Awarix 77,695 7% Agility Healthcare (GE Healthcare) 61,998 5% MediTech 59,361 5% EpicSys 31,075 3% TenetHealth 30,961 3% SMS 5,800 1% InQuicker 5,647 0% Curaspan 1,055 0%
- 26. PHI - Protected Health Information 26 Email 805,609 28% Medical terms 647,745 23% English names 510,313 18% Syndromes / Diagnosis 399,862 14% Medicine on FDA drug list 164,117 6% Phone numbers 124,949 4% Date of birth, age, gender 110,708 4% Medical reference number 90,124 3% URL 6,371 0%
- 27. Top Medical Terms 27 Phleb 85,079 EKG 35,138 Sepsis 29,430 Xray 20,218 Ortho 12,591 Kidney 11,197 Anemia 10,988 Cellulitis 10,124 Resistivity 9,594 Dyspnea 8,417 Anesthesia 7,752 Atrial 6,767 Hemorrhage 6,529 Troponin 6,262 Nebulizer 6,107
- 28. Pharmacy 28
- 29. Top Prescriptions 29 Albuterol (a common bronchodilator) 23,175 Tylenol 6,134 Duoneb (treats COPD and asthma) 5,586 Coumadin (AKA Warfarin) 5,240 Ipratropium 5,020 Zofran (prevents nausea and vomiting) 4,844 Heparin (prolongs blood clotting time) 4,238 Insulin 4,197 Acetaminophen 3,669 Ativan (a benzodiazepine tranquilizer) 3,630 Ondansetron (treats vomiting) 3,545 Lasix (treats uid retention in people with congestive heart failure, etc.) 3,278 Vancomycin (last-line antibiotics) 3,029 Morphine 2,763 Nikki (treatment of moderate acne vulgaris) 1,554
- 30. Organ Donors 30
- 31. Home Care / Death 31
- 32. CallerID System 32 135 patients’ names, phone numbers, pregnancy statuses, birthdates, as well as information on illnesses and symptoms.
- 33. Industrial 33
- 34. SMS to Pager Gateway 34 callee Make phonebook
- 35. Using SMS to Pager Gateway •CallXPress : Speech-to-text summary •SPOK : Former USA Mobility •CallerID Yellow page •Callee Capcode 35
- 36. Using Email to Pager Gateway (1) •WhosCalling : Email for missed calls •WebCTRL®: BAS from Automated Logic Subject: WebCTRL CHW System Alarm (CRMF Chiller BACnet) – [DATETIME]: CRMF Chiller BACnet - Chiller 18 Bacnet communication is offline. (CH18_COMM) •METASYS®: BAS from Johnson Controls MSHAADX25-001:FWNAE-02/FC-2.AHU-12.SF-S Item Category FWCH-HVAC » FQR fully qualified references 36
- 37. Using Email to Pager Gateway (2) •Easy to identify the location of events 37
- 38. IT Industry (1) 38 WhatsUp Gold / ARSystem / Nagios / NETBIOS
- 39. IT Industry (2) - Passcodes •System may be deployed in sensitive sectors 39
- 40. Security Industry • CVE-2016-0068 Microsoft® Internet Explorer® Elevation of Privilege Vulnerability • CVE-2016-0936 Adobe® Acrobat® Memory Corruption Vulnerability • CVE-2016-0938 Adobe Reader® and Acrobat Memory Corruption Vulnerability • CVE-2014-1791 Microsoft Internet Explorer Memory Corruption Vulnerability • CVE-2016-0007 Microsoft Windows Mount Point Privilege Escalation Vulnerability • CVE-2014-6366 Internet Explorer Memory Corruption Vulnerability • CVE-2014-0526 Adobe PDF Reader Encoding DCT Vulnerability • CVE-2015-1666 Internet Explorer CMetaElement code execution • CVE-2016-0966 Adobe Flash® Player Memory Corruption Vulnerability • CVE-2016-0091 Windows OLE Memory Remote Code Execution Vulnerability • CVE-2016-0098 Apache Server Multiple Vulnerabilities • Apache mod_cgi Bash Environment Variable Code Injection • Mozilla Firefox nsFrameManager Remote Code Execution Vulnerability 40
- 41. Power Plants From [NAME AND COMPANY REDACTED].com Sub:[PLACE REDACTED] Critical Path Update Msg:During U2 Turbine Roll, a steam leak was identified on the *-****-*** valve (SV1 Vent Isolation Valve). Steam leak cannot be isolated ... From: [EMAIL REDACTED]- Due to storm, we lost the steam plant momentarily, there are downed trees and lines are down. Generators are running for bldgs. that lost power. I [PHONE NUMBER REDACTED] Local IA [COMPANY NAME REDACTED] ENVIRONMENTAL [LOCATION REDACTED]/IA [DATETIME] AC POWER FAIL DUE TO SYSTEMS UPGRADE. SITE ON BATTERIES. PLANT VOLTAGE 48.18V 41
- 42. Chemical Companies (1) VA0095 - ***** A61 (8D05F,1) 6SDA0 00410668 00410670 0045D39A 0044D50C [.S/W] SN:546793 ST:ER LC:1 03/10/16 14:17:07 [15] VA0095 - ***** A61 (8D05F,1) 8SDXX stack dump ends [.S/W] SN:546917 ST:ER LC:1 03/10/16 14:17:07 [79] MAKE UP AIR UNIT 1 HI ALARM *****/MUA1/DATEMP Crit1 10.07 Deg C RTC CLEANROOM ALARM *****/CLEAN-RM/FL-LWLVL Crit1 42
- 43. Chemical Companies (2) F***_***FAB1-02, Measuring Bath Level Sensor Trouble F***_***FAB1-02, Mixing Tank B Mixing Fail FAB1_***HOD-01, Drum A Empty FAB1_***HOD-01, Unit Door Open (Drum Zone FAB1_***BAD-01, Day Tank Level Low Alarm FAB1_***BAD-01, Distribution Outlet Pressure High - PT-30 FAB1_F1-********-***-***, Unit End Point Pressure High ***-Monitoring-***relay: [DATETIME] (RTN) FAB2 Acid Scrubber 1E PH has exceeded Low Warning Alarm. [ AT_******_AVG (5.128) < 7.25 for 60 sec ] <TopView is licensed to [COMPANY] - System 1> 43 TopView® is an alarm management and alarm notification system developed by Exele Information Systems.
- 44. From: WebCTRL@***.com Subject: **** AHU-1 (High Bay) - High Space Particle Count (Level 2): Alarm – [DATETIME]: The space Particle Count is too high: West: 72 cnts/SCF / East: 15253 cnts/SCF (!PC_HI2) From: tridium@***.com Subject: Alarm From **_Boiler_2_Supply_Temp - State: Normal From:MetasysNotification@***.org Subj:Bacnet Alarm [DATETIME] SEWAGE-HIGH- WATER-A Fault 70.Value Normal .Item Description Sewage Ejection Pump High Alarm HVAC 44
- 45. Public Sector and Partners 45
- 46. Personal Messages • In public sectors and partners. • Contract number, name, phone 46
- 47. CallerID System •Make a yellow page •Recon » Impersonate the most frequent sender?! 47
- 48. Voicemail Summary •Like CallXPress, might be another system 48
- 49. Recon • Alice (505*******), mostly called by Rose (505*******) • Aaron (505*******), mostly called by unknown (505*******) • Bruce (--), mostly called Nancy (505*******) • Charles (--), whose mother is Elizabeth (505*******) • Charles (--), whose wife is Jenny (505*******) • David (--), whose wife is Carol (505*******) • Fred (--), whose wife or girlfriend is Kate (505*******) 49
- 50. Parcels 50
- 52. Spoofing 52
- 55. Attacks • Healthcare – Sending pages to the pharmacy for medication – Moving patients within facilities – Declaring an emergency inside facilities – Intercepting calls from the officiating doctors • Public Sector – Social engineering – Impersonate a contractor – Recon for sensitive places 55
- 56. Conclusions • Stop using pagers OR encrypt everything • Don’t leak personal information if pagers are absolutely required • Small leaks make database big harms 56
- 57. Questions? • http://www.trendmicro.com/vinfo/us/security/news/ cyber-attacks/leaking-beeps-pagers-leaking-confidential- information Search: Leaking Beeps or Download the slides at https://goo.gl/SxrU2t 57 @sjhilt @miaoski
- 58. Backup Slides 58
- 60. SCIF Physical Security Standards for SCIFs, part of Director of National Intelligence’s (DNI) intelligence community policy memorandum https://fas.org/irp/dni/icpm/2005-700-1-att1.pdf 60
Editor's Notes
- #3: i.e. someone shits
- #4: GREAT AGAIN! Gateways More data, less protocol US / Canada, also worldwide
- #5: License or not. Bastian Bloessl Sniff clear text data Consult a lawyer.
- #6: devices without recording or transmission capabilities
- #7: Widipedia: still being used in Germany Spam in English
- #8: Systemic impact in ... Public sector = government
- #10: Not until Early ’90s, pagers are hot Schneider talked about Iridium
- #11: Numeric expressions G’ old time!
- #12: Frame Synchronization Code Frequency-shift keying
- #13: So we use GNU Radio and multimon-ng (thanks to authors + contributors) Don’t want to build from scratch
- #14: Taiwan 165-166 and 280 MHz. Stopped in 2011/E. Belt, PH, not used in hospital anymore.
- #15: Also, cooler setup SDR
- #16: Fancy setup HackRF One + Ettus Log periodic LP410 (400MHz to 1GHz) Ettus B210 BladeRF antenna
- #18: Clayton Smith Waterfall, click, see what’s in channel Based on the freqs, modify Python script.
- #19: Duplicated, reflexing, group call
- #21: Integrated into workflow
- #22: Make appointment Clean bed, wheelchair, medication ED – reduce wait capcode
- #23: ED – reduce wait capcode
- #24: CPC = Chest Pain Center // angina=CP Clinical Workflow Solutions provided by Hill-Rom®, including Nurse Call, Bed Connectivity, SmartConnect Integrations, Wireless Handsets, etc. Curaspan is a company of workflow automation
- #25: EpicSys is written by epic.com, coordinating healthcare organizations and stores patients’ electronic records. We saw email-pager gateway, bed status and medical orders.
- #26: Market share? (kidding) Unable to identify vendor = email relay
- #27: HIPPA violation a lot Health Insurance Portability and Accountability Act of 1996
- #28: Wrote program to calculate List of medical terms Data are biased. Msg sent multiple times Phleb = vein Sepsis 敗血 Hemorrhage 腦溢血 Anemia 貧血 Cellulitis 蜂窩性組織炎
- #29: Tryptophan Hydroxylase MRN + room + name + age + gender + phone? + DX + medicin
- #30: Tylenol = Paracetamol 這邊都肺,上面EKG COPD 慢性肺阻塞 Ipratropium = bronchus
- #31: From UK Donation After Cardiac Death Hidden to prevent trading / ethic issues
- #32: Saw on local newspaper
- #33: No bowel movement = not code brown Systemic. Phonebook. Cross-check with online yellow page.
- #35: If, only if, phone number 1 .. 6 are the same, we know there is tight connection.
- #36: Software that uses SMS to Pager GW Who calls whom in what capcode
- #37: Software that uses Email to Pager GW Compile a yellow page! Not limited to listed vendors AHU = air handling unit
- #39: SNMP, Router, private IP, NETBIOS Passive intel Router vuln?
- #40: 2FA
- #41: McAfee IntruShield NG-IPS Detected CVE, sent to sys-admin via pager Common CVE
- #42: Nuclear plants, substations Journalist! Cross-check if incidents reported
- #43: Not sure what it means Firmware dump
- #44: Not sure why chemical companies like Pagers
- #45: Heating Ventilation Air Conditioning Can collect data, alarm, critical thresholds French message
- #47: Email-to-Pager GW Impersonate a contractor Check Linked-In SCIF Sensitive Compartmented Information Facilities
- #48: As in healthcare and WhosCalling Redacted, not original msg
- #49: Voice mail, transcribed
- #50: Faked names, of course
- #51: Missouri
- #53: Bought from eBay Room far from anyone, minimum power, not to interfere Like Faraday cage
- #56: Kevin Mitnick
- #57: We seen good examples
- #58: Limited edition
- #60: TEST-ALERT