Halfway through 2019
The Beginning

I bought the cheap RTL-SDR dongle, as a gateway into the radio world. After fiddling around with it for a while, I sat down on the couch and just started scrolling through all the frequencies I could see and hear before I stumbled onto some weird signals at around 147MHz, which sounded a little bit like this:

Careful, it's loud.

After digging around a bit on the internet, I figured out what I was hearing was POCSAG transmissions – the protocol used by pagers to communicate to other pagers and systems. With me being as keen as I am, I decided I wanted to know what was being said. Elias Önal has written a tool called multimon-ng which can simply decode POCSAG messages.

Emphasis on the word ‘decode’. There is nothing to decrypt here - there is no cracking, there are no secrets to hide and no answers to find. This is almost exactly akin to decoding morse code, and comes with all the security of morse code – that is to say, none at all.

November, 2019
The Idea

I decided to report this vulnerability via email to the Victorian Minister for Health and Ambulance Services.
However, all I could currently do was see pager data output to a terminal screen. Could I automatically save it to a file? Could I - in real time - stream the decoded data somewhere else? Say, a different part of my network, or to a friend's computer? Or to a page on my website that automatically updates?

So, I put it all on my website.
My reasoning, at the time, was that it stood as a monument to the failure of the medical sector to protect the PII of its patients. This turned out to be exceptionally naive of me.

11th of February, 2020
The Email

A Telstra Cyber Security Team member contacted me, notifying me of a complaint lodged by AusCERT about the PII on my website from the decoded POCSAG data there. This, I found strange. Why would AusCERT go after me, rather than trying to get the issue fixed themselves? But as it turns out, it goes deeper than that. I reached out to the Telstra CyberSec member explaining how incredibly easy it was to glean this information from anywhere in the country, and stated how ripe it was for exploitation, expecting a hard, corporate, unenlightened response – or none at all.

I was completely incorrect. The member thanked me for reaching out to them with questions and gave an incredible amount of insight. Mainly, that Telstra is fully aware of the problem. And so is the Australian Federal Police (AFP). And the Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), the Australian Security Intelligence Organisation (ASIO), and even AusCERT themselves.

I think I’m beginning to actually see bureaucracy in action.

4th March, 2020
The Meeting

A knock on my door, and two Detective Sergeants from the E-Crime Squad at Crime Command, Victoria are outside my door. This wasn’t out of the blue; we had been emailing back and forward for the last few weeks trying to arrange a time to meet after they came by my house while I wasn’t home. In fact, I was in San Antonio, Texas at the time, but that’s another story. They were there to serve me a letter from the ESTA (Emergency Services Telecommunications Authority). The ESTA was none too pleased about my publishing of what they called “emergency management messages”. According to them, I was committing offences under the Telecommunications (Interception and Access) Act of 1979. The problem with this is that they are defining POCSAG transmissions as telecommunication, rather than radiocommunication, which is huge.

To be perfectly honest, from what I’ve seen, I believe the ESTA is being a bit heavy-handed, as not a single neutral authority I have yet spoken to has been able to define, decisively, POCSAG transmissions as either radiocoms or telecoms. Not Telstra, not the E-Crime Detective Sergeants, not any of the professors at my university or anyone else who I've spoken to about this. If it is radiocoms – like a handheld radio - security (authentication, authorisation and accounting) is inherently not guaranteed nor expected, which is why it is not illegal to listen to, record or share conversations heard from a handheld radio. This is the reason why police radio is encrypted - it doesn’t matter if you can or can’t legislate against breaking encryption, if it’s practically impossible to break said encryption in the first place. If you want security and privacy from a radiocoms device, you must yourself employ encryption and authentication protocols.

On the other hand, security is inherently guaranteed in telecoms systems, such as landline telephones, merchant EFTPOS and ATM devices, cable or ADSL modems, that sort of thing. Mobile phones also fall into the category of telecoms, as even though they use radio signals to communicate, they are built for and around the telecoms system, plus they have their own specifically designed and honed protocols which include all sorts of security, encryption, and failsafes – some teenager can’t sit down with a $30 SDR and a laptop and listen in on a phone call.

The problem with pagers is that it isn’t clearly defined if they are using radiocoms or telecoms. My intuition is that it is radiocoms, as it is unencrypted, easily discernable, and there is no authentication, authorisation or accounting. These fundamental traits are the antithesis of a telecommunication system.

20th March, 2020
The Ghosting

On the 6th of March, I sent an email to the representative of the ESTA that sent me the letter. After a week without reply, I decided to call said representative, and it went to voicemail. So then on the 17th of March, I went to the ESTA website and sent a request, writing up who I was and that I was looking for the specific member who sent me the letter. Turns out the representative is on leave, but another ESTA representative will be in touch with me next week. I shall update after I speak to this mystery rep.

12th July, 2020
The Disappointment

It has been 144 days since my last update. By the title of this entry, you might be able to tell what has happened - that is to say, absolutely nothing. However, I'm pleased to report that by decoding more POCSAG signals, I can see where symptoms of COVID-19 are popping up around my state of Victoria. They've got this funky reporting scheme, where normal symptoms of whatever is being reported at whichever location are first, then if there are any COVID-19 symptoms, it'll say "COVID-19 Safety information as follows" and then rattle off the reported symptoms that match COVID-19. Luckily, I'm just a private citizen, and not, say, a health insurance company, a life insurance company, or otherwise interested in exploiting anyone who happens to confidentially and confidently share any information whatsoever with the medical sector.

Also, WA Department of Health data breach sees confidential patient information published online.

14th of October, 2020
The Success

Grant Lockwood contacted me today. He is the Chief Information Security Officer (CISO) for the Victorian Department of Health and Human Services (DHHS).

He apologised for the 11 month wait for a reply since my original November 2019 email, and noted that they appreciated the reminder I gave them a few months ago. It was said that my emails, and I quote, “prompted us to remind health services of their obligations with respect to protecting patient data, particularly the need to use encrypted communications.” He agreed that POCSAG is, in his opinion, 'radiocommunication' as opposed to 'telecommunication'. He also agreed that the POCSAG network being used, the Orange POCSAG Network, is wholly insecure, and as such is now being decommissioned by the end of 2020.

I’m in no way blaming him at all for the failings of the medical sector to protect patient PII. The role of CISO was only created in 2020, and my emails only made their way to his desk in September, plus, he is only one cog in the machine. He also informed me that when he spoke to people about this, there was nothing set up for anyone to responsibly disclose vulnerabilities like this to the DHHS. Also, there was that pandemic.

However, I am not sure whether the ‘ORANGE POCSAG Network’ is just the ambulance network, or a specific frequency of the ambulance network, or encompassing all that use POCSAG, e.g., fire services, ambulance, etc. Hopefully, however, data “breaches” like the one that happened in Western Australia won’t happen again in Australia, and can’t happen in Victoria.

9th of January, 2021
Speak of the Devil

Tasmania Police called in after ambulance patient details published online

16th of January, 2021
Oranges and Lemons

I don’t know exactly what the Orange POCSAG Network is.

What I do know is that there is currently an 89-year-old female at a street address I won’t disclose who is currently experiencing chest pain.
There’s a lady named Brittany (with middle and last name given) who called a veterinarian with her mobile phone (of which her number I can see) with a “question for vet nurse about issue with cat”.
There’s a petrol can on fire in Bridgewater.
A 2-year-old girl is having a seizure at a street address in Simpson.
A man at a street address in Kalorama has abdominal pain above the navel.
A man at a street address in Reefton has had a stroke.
A 21-year-old female at a street address in Glenfyne fell off a horse and sustained traumatic injuries.
I have the name of a patient and her orthopaedic surgeon at Austin Hospital in Heidelberg.
I have the phone number of a neonatal conference, plus an invitation to join.
An 8-year-old boy in Coomealla (NSW) has his foot stuck in a bicycle.
An 83-year-old woman died of cardiac arrest at a street address in Eltham.

Nothing as of yet has actually been done.