Tagged: rtl-sdr

Exposing Hospital Pager Privacy Breaches

It has been a known open secret that for years many hospitals have been transmitting sensitive patient data over the air completely unencrypted via their pager network. With a simple ultra cheap radio such as an RTL-SDR, or any other cheap radio scanner such as a Baofeng, it is possible to eavesdrop on this sensitive data with very little technical knowledge required. Hospitals appear to be reluctant to upgrade their systems despite clearly being in violation of HIPAA privacy regulations in the USA.

Recently, @WatcherData has been trying to bring attention to this ongoing security breach in his home state of Kansas, and last month was able to get a news article about the problem published in the Kansas City Star newspaper. Over on Twitter he's also been actively documenting breaches that he's found by using an RTL-SDR to receive the pager messages.

Interestingly, publicity generated by @WatcherData's newspaper article has brought forward a hostile response from the hospital in question. Over on Reddit /r/legaladvice, a forum where anyone can ask legal advice questions, @watcherdata posted the following:

I discovered some time ago that hospitals throughout my region of the US are sending messages to physician pagers that include the name, age, sex, diagnosis, room number, and attending physician. These can be seen by anyone with a simple RTL SDR device, and a couple of free programs.

This seems like a massive HIPAA violation. So I contacted the main hospital sending out most of the information, and they were extremely grateful. I got a call within a day from a high level chairman, he explained their steps to remediate, that their auditors and penetration testers missed it, and that they would have it fixed within a week. Sure enough, they started using a patient number and no identifiable information in the pages. A couple of other hospitals have fixed their systems too, after I started contacting them via Twitter.

Early on in this process, I contacted my local newspaper. They reached out to the hospital in question, and were met with a "very hostile" response. They immediately deflected from any HIPAA violations and explained that I (the source) am in violation of the Electronic Communications Privacy Act of 1986.

This was enough to scare me off completely. I've nuked all log files from my systems and stopped collecting data. The reporters want to know how I would like to proceed. Originally, I was going to get full credit for the find in their article. But now, I at least need to be anonymous, and am thinking about asking them not to run the story at all.

Among the replies there doesn't seem to be consensus on whether simply receiving pager messages in the USA is legal or not.

In the past we've seen similar attempts to bring attention to these privacy breaches, such as an art installation in New York called Holypager, which simply continuously printed out all pager messages that were received with a HackRF for gallery patrons to read.

HolyPager Art Installation. HackRF One, Antenna and Raspberry Pi seen under the shelf.
HolyPager Art Installation. Printing pager messages continuously.

New GNU Radio Block for Decoding Meteor M2 Images

Thank you to Reiichiro Nakano for submitting news about his work on converting the Pascal based meteor_decoder software into a C++ GNU Radio block. meteor_decoder is a decoder for the Meteor M2 weather image satellite. Meteor M2 is a Russian weather satellite that transmits images down in the digital LRPT format. This provides much higher resolution images compared to the NOAA APT signals. With an RTL-SDR, appropriate satellite antenna and decoding software it is possible to receive these images.

Reiichiro works for Infostellar, which appears to be a Japanese company aiming to connect satellites to the internet via distributed and shared ground stations. It appears to be somewhat similar to the SatNOGs project. Reiichiro writes:

Just wanted to share a simple project I built for my company Infostellar, in the past week. I converted https://github.com/artlav/meteor_decoder to C++ and placed it within a GNURadio block for direct decoding of Meteor M2 images. It's a sink that expects soft QPSK demodulated signed bytes. Once the flowgraph stops running, it parses out received packets and dumps the received Meteor images in a specified location. 

The block is part of our Starcoder repository and can be installed from here (https://github.com/infostellarinc/starcoder/blob/master/gr-starcoder/lib/meteor_decoder_sink_impl.cc ).

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

#209 How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

New RTL-SDR Frequency Heatmap Generator Plugin for SDR#

Thanks to VE3NEA for letting us know about his new RTL-SDR compatible heatmap generator plugin for SDR#. To use the plugin you first need to generate some heatmap CSV data by using the rtl_power software. You can then open the CSV file in the plugin and it will generate a heatmap image. A frequency heatmap shows a wideband waterfall image of detected frequency activity.

RTL-SDR heatmap tools are nothing new, but the convenience of having it as a SDR# plugin is that you can click on the heatmap image to instantly tune to a frequency where activity was recorded during the initial rtl_power scan.

SDRSharp RTL-SDR Heatmap Plugin
SDRSharp RTL-SDR Heatmap Plugin

Building A Giant $200 3D Corner Reflector Antenna for GOES, Moon Bounce and Pulsar Detection

A corner reflector antenna is basically a monopole antenna with a metallic 'corner' reflector placed behind it. The reflector helps the monopole collect signals over a wider aperture resulting in signals coming in stronger from the direction that the corner is pointing at. In past posts we've seen a homemade tinfoil corner reflector used to improve reception of the generic stock RTL-SDR monopole antenna, and a larger one was used in a radio astronomy experiment to detect a pulsar with an RTL-SDR.

Recently The Thought Emporium YouTube channel has uploaded a video showing how to build a large 2 meter 3D corner reflector out of readily available metal conduit pipes and chicken wire. While the antenna has not been tested yet, they hope to be able to use it to receive weather satellite images from GOES-16, to receive moon bounce signals, to map the Hydrogen line and to detect pulsars. 

Tracking Police and Military Aircraft at the G7 Summit with an RTL-SDR

Back in early 2016 we posted about a journalist who used an RTL-SDR to gather ADS-B data about the type of aircraft used at the world economic forum in Davos. The idea was to help highlight the vast wealth and power of the attendees by showing off their heavy use of private aircraft.

Now more recently Laurent Bastien Corbeil has published a similar article in Motherboard (a Vice News tech magazine) explaining how he tracked police and military planes at this years G7 summit which was held in Canada in early June. Laurent used an RTL-SDR Blog V3 with the small dipole antenna attached to a window to gather ADS-B data from all the aircraft activity during the summit.

ADS-B is a radio system used on modern aircraft which broadcasts the aircraft's current GPS location and other data such as aircraft identifiers. It is now used extensively by air traffic controllers as it is significantly more reliable than traditional radar. With a simple RTL-SDR it is possible for anyone to track and plot ADS-B data on a map, and this is how tracking sites like flightradar24.com and flightaware.com work.

From his collected data he was able to spot several interesting aircraft such as Canadian Air Force Chinooks, C130 Hercules', RCMP Pilatus', a military Bombardier jet, and a coast guard Bell 427. He also notes that while he was able to spot Donald Trumps Marine One helicopter with his own eyes, the ADS-B data was not present, indicating that more important military aircraft do not broadcast ADS-B for security reasons.

In the article Laurent makes estimates of the costs of operating these aircraft, and makes some guesses on the type of mission flown by some of the aircraft.

G7 Aircraft Flight Costs (Data by Laurent Bastien Corbeil, Graphics by Marvin Lau)
G7 Aircraft Flight Costs (Data by Laurent Bastien Corbeil, Graphics by Marvin Lau)

Video Explaining the Basics of RF Bias Tees

Over on YouTube w2aew who has many excellent videos explaining various radio topics has uploaded a new video that talks about the basics of bias tees, and shows some applications and examples. In the video he demonstrates using a bias tee to add DC voltage to a serial signal, measure the RF performance of a BJT transistor, and to tune a remotely tunable 'screwdriver' antenna.

On receiver radios bias tees are commonly used to power remote LNA's (low noise amplifiers) or active antennas by putting DC power onto the coax cable. Ideally an LNA should be placed closer to the antenna as this will help reduce the loss caused by coax cable. Often the antenna is far away from the receiver on a roof or attic where there is no power supply. A bias tee solves that by allowing the coax cable to be used for DC power.

We note that our RTL-SDR Blog V3 dongle has a built in bias tee that can be activated in software. 

#284: Basics of RF Bias Tees including applications and examples

Notice: WXtoImg Website Down

Just a note that the website for the popular NOAA APT weather satellite decoding software WxtoImg is currently down, and may possibly never be revived. This software is commonly used with RTL-SDR dongles to download weather satellite images from the NOAA 15, 18 and 19 polar orbiting satellites.

It seems that the author of the software has not been maintaining the site and software for a while, although there was a brief update on the site back in 2017 when the professional version keys were released for free. But the keys reportedly no longer work. WXtoImg is closed source, so the code is not available either.

Some of the downloads are still available via archive.org, however it only seems to be the Windows and some of the Linux versions that were archived. Over on two Reddit threads [1] [2], some users are also collecting the last free versions and making them available for download again. If anyone has access to the last beta versions for ARM devices please upload them somewhere too.

Also if anyone happens to have the contact details of the author, or someone who knows the author please let us know as we'd like to ask for permission to mirror the files.