Pagers, an old and insecure technology, are still used at a large scale for critical services. While they have a wider range and can go through reinforced walls, pagers leak data to anyone who’s listening.
The UK’s National Health Service is using about 130,000 pagers to broadcast information in hospitals and to ambulances. The messages go out as radio waves over the network and are not encrypted, merely encoded. Anyone with the right radio equipment can tap into the radio waves and have them instantly decoded on a screen with the help of dedicated software.
This exposes medical information of patients, together with sensitive details like home address, names, or illness. TechCrunch notes that it’s an open secret with NHS officials that the messages sent by pager can be – and are – intercepted by radio hobbyists, decoded and occasionally exposed.
Most recently, it happened somewhat by mistake and was spotted by security researcher and bug bounty hunter Daley Borda. A radio hobbyist with an amateur radio rig was picking up radio waves and decoding them on his computer. He had also set up an unsecured webcam facing the computer, which was broadcasting the messages online in real time, without his knowledge.
Access to the webcam was possible without authentication and anyone scanning the internet for exposed models could find them. Borda came across the broadcast and informed the hobbyist’s internet provider, who told the hobbyist of the leak onto the public internet.
“Last night we contacted the customer to make them aware that there was a live webcam broadcasting on the open web from their household,” a spokesperson from the internet provider told the media outlet. “The customer was unaware of the nature of the information being shown so has said that they will stop the feed on that particular camera. With some cheap, relatively basic, software it is possible for hobbyists to access these frequencies and decode the information being sent, which appears is what has occurred here.”
The exposure of patients’ data was unintentional, but that’s not always the case. With the same basic equipment, available for about 20 bucks, anyone can pick up the radio waves, decode the messages and capitalize on the data collected. TechCrunch notes that, in the U.K., it’s legal to scan airwaves with any equipment you want, but it’s illegal to expose the data you collect.
Sarah Jamie Lewis, executive director at Open Privacy, says that this may actually prevent bug bounty hunters from going public with their findings, keeping patients in the dark to the fact that their personal information and medical history has been accessed by third parties.
By 2021, NHS will have to eliminate pagers. Most NHS trusts are aware that the messages sent by pager are insufficiently protected but continue using them for now nonetheless.