In a world increasingly reliant on secure digital communications, it’s surprising to learn that many countries, including those in critical sectors such as healthcare and industrial control systems (SCADA), still use outdated pager networks like POCSAG for emergency communication. These networks, while reliable and inherently passive receivers by design, are shockingly vulnerable to spoofing and message injection attacks via radio frequencies, making them prime targets for malicious actors.
Recent incidents, such as the 2024 pager explosions in Lebanon, have brought attention to the security flaws inherent in pager systems. These attacks, which exploited unsecured pager transmissions to rigged devices, demonstrated how simple it is to manipulate POCSAG networks. With readily available equipment, such as the HackRF and PortaPack with Mayhem firmware, anyone can intercept and inject messages into these systems. The PortaPack is a $200 software defined radio plus screen/keypad which allows you to go portable with the HackRF and a battery pack. This post will explore the vulnerabilities in POCSAG networks, explain how message spoofing can be achieved using RIC/capcodes, and provide a hands-on look at how the Mayhem firmware makes it alarmingly accessible to execute these attacks.
Understanding Pager Networks: The Basics
A pager network operates by broadcasting messages over a radio frequency to devices that are always listening. Each pager has a unique identifier, known as a capcode or RIC (Radio Identification Code), that tells it which messages to receive. However, these networks lack any form of authentication or encryption, meaning that the messages sent to pagers are transmitted openly. This creates a significant security risk, as anyone with a basic radio transmitter can inject messages into the network by simply knowing the frequency and capcode.
While this lack of authentication can be useful for setting up personal pager networks like DAPNET (a decentralized amateur paging network), it poses a real-world threat. For instance, attackers could manipulate critical systems such as hospital paging networks or industrial control systems, potentially causing severe disruptions. This vulnerability makes it imperative to reconsider the security implications of using these networks in sensitive environments.
Spoofing POCSAG
In pager networks, capcodes (also known as RICs or Radio Identification Codes) serve as unique identifiers that allow messages to be directed to specific pagers or groups of pagers. Each pager is programmed to respond to one or more capcodes, determining which messages it should receive and how it should react. This system allows for both individual and broadcast messaging, where a single message can be sent to multiple devices sharing the same capcode.
Messages in these networks can take different forms. Alert messages trigger simple signals like vibrations or sound notifications, often used in emergency situations. Numeric messages typically consist of numbers, such as phone numbers or short codes, while alphanumeric messages are more complex, allowing both text and numbers. This flexibility makes pager networks useful for sending anything from critical emergency alerts to more detailed instructions or notifications.
An example of a current device using POCSAG in SCADA systems is the TReX-460 Messaging Radio Transceiver. It transmits and receives POCSAG paging messages, sends DMR text messages, and can send emails periodically or based on input changes. Additionally, it functions as an IoT gateway, enabling control and monitoring from devices that support MQTT, Modbus, and DNP3 protocols, providing a versatile solution for communication and system management in SCADA environments.
HackRF Mayhem POCSAG transmitter
Spoofing messages on a POCSAG pager network with the HackRF and PortaPack running Mayhem firmware is straightforward. After capturing the frequency and capcode using the built-in POCSAG receiver, you can select the POCSAG transmit option, input the capcode, and inject either an alert message (vibration or sound), a numeric message, or an alphanumeric message. Since these networks lack encryption or authentication, the system treats any properly formatted transmission as legitimate.
For those without access to an actual pager for testing, the Flipper Zero can serve as a POCSAG receiver, allowing you to capture and decode messages from live pager networks. However, it's important to note that while the Flipper Zero is an excellent tool for receiving POCSAG transmissions, it cannot be used to transmit or spoof POCSAG messages. This limitation makes the HackRF and PortaPack the go-to devices for full message injection testing.
The ease with which you can spoof messages on these networks underscores the critical vulnerabilities in their design, making it clear that anyone with basic hardware can exploit these outdated systems.
Here’s how you can configure a POCSAG message for transmission using the settings shown in the image:
- Bitrate: This is the speed at which the message will be transmitted. The most common bitrate for POCSAG transmissions is 1200 bps, although 512 or 2400 bps can also be used in some networks. For most applications, 1200 bps offers a good balance of speed and compatibility with various devices.
- Type: This determines the format of the message. You can choose between alert, numeric (numbers only, think data values, short codes or phone numbers) or alphanumeric (a mix of letters and numbers). Alphanumeric messages are ideal when you need to transmit both text and numbers for more detailed information.
- Function: This represents the function code for the pager. Function codes can trigger different responses, such as sound, vibration, or a specific display mode on the pager. A function code of "0" is typically the default for displaying standard alerts.
- Phase: In POCSAG transmissions, there are two possible phase settings: N and P. This setting determines how the signal is modulated. Most pagers will work with either, but it's essential to match the network's configuration for correct message delivery.
- Message: This field contains the actual message to be transmitted. In this case, "PORTAPACK" is shown, but you can input any text message appropriate for the target pager.
To transmit the message, you'll also need the capcode of the pager, which is its unique identifier. The capcode can usually be found on the back of the pager. If you don't have access to the pager, you can capture the capcode by receiving and decoding the transmissions from the pager network itself. This can be done using the PortaPack in receive mode or with any SDR (Software Defined Radio) device, making it possible to eavesdrop on and capture active capcodes from the network before injecting your own messages.
Conclusion
we have learned how remarkably easy it is to spoof a message on a POCSAG pager network using readily available tools like the HackRF with a PortaPack and the Mayhem firmware.
In the case of the pager explosions in Lebanon, it's plausible that Israel employed a similar spoofing technique, but on a much larger and more sophisticated scale using high-powered transmitters. By doing so, they could have ensured that Hezbollah's rigged pagers remained under remote control, even after attempts were made to disable the network side following the initial explosions. This would have allowed continuous transmission of spoofed or malicious messages to numerous devices simultaneously.
Given the continuing reliance on pager networks in critical sectors such as healthcare and industrial control systems, the ease of executing these attacks is alarming. It emphasizes the need for stronger security measures or moving away from outdated technologies that are still widely used but are no longer suitable for modern security needs.