In my part of the US, I can overhear loads of PII by just tuning my VHF transceiver to various public safety frequencies. I hear drivers license numbers, medical info, all sorts. I hesitate to think that there’s a better alternative though. I’m terrified that the UK is moving to LTE rather than the current trunked radio. The amount of damage caused by comms failing in a major emergency (or even just dead zones) massively outweighs the risk of a little data loss at present. If there are more reliable communication methods that preserve privacy, then we should be using them, but I’m not sure they exist at the moment.
edit: to be fair, it should be possible to encrypt some of the traffic, but things should fail open, not closed, or people will die.
Meanwhile the rest of the world has moved on to digital, encrypted communication.
Mobile phones continue to work during a disaster as long as the base station batteries hold out and that’s with cheap base stations serving very large amounts of idiot users using the cheapest of the cheap handsets limited by regulations. Why wouldn’t you be able to make this work indefinitely with a limited amount of trained users using selected, powerful expensive handsets.
In other words, a bunch of poor excuses made by coincidentally those same people who love to profess that privacy doesn’t matter as long as it’s someone else’s privacy.
Agreed about privacy, but the "Mobile phones continue to work during a disaster" is a very optimistic view.
It was no a disaster, far from it. In Belgium, few years ago, a fire under a bridge broke an bunch of fibers from the main telco operator.
Result on a region of about 200,000 inhabitants:
- no radio (on my usual station), first thing I noted that morning.
- no internet
- no TV (comes via internet)
- no cell phone coverage
- no land-line either
- emergency calls impossible (by cell-phone or land-line)
This started early in the morning and was only solved in the afternoon for most people.
We are over-reliant on some technology with many single point of failure we do not even know about.
That sounds insane. Any network other than very basic ones should have physical redudancy, ie. not being in the same duct or even travelling close to eachother. Hell, our local MAN network here does it! Thats in a city with 130k inhabitants, they actually made the network backbone out of redundant rings.
I would hope most telco networks would be somewhat resilient.
A former employer of mine tried to have redundant connections. They had two fibers from two different providers, going separate paths from their Dallas office, etc. However, the 2nd provider utilized a 3rd provider as a regional carrier. And for about 100 miles between Dallas and Chicago, the fibers were run in conduits that were side by side. We discovered that when a single backhoe took down phones, data, etc, to all our southeast Region offices. (it also affected many others). Found out the hard way, that the 2nd providers redundant uplink also went through the same connection. Good luck tracing your fibers all the way from end to end.. Most of this stuff is all contracted to 3rd parties, and most don't want to give you detailed maps.
I heard in this case, both Proximus and Telenet, the main operators in Belgium, run their fibers in the same conduit. So every company thought they were redundant by buing both, but weren't.
I also heard the railways are the main fiber provider: They have long stretches of rail between all major cities, so they are ideal for fiber. But very bad for redundancy
Normal AM/FM radio still needs a way to send the audio data to the transmitter. Either the studio was in the region and their internet uplink was affected, or the local transmitter was using the internet to receive the audio feed.
This is in reference to a specific incident last year where fire fighters operations were impacted because their service plan inadvertently was setup with a monthly limit.
Point stands. "Emergencies are a terrible time for an upsell" is not something I thought would be controversial, but building systems in which one has to have permission to communicate in an emergency is a recipe for people dying.
>Meanwhile the rest of the world has moved on to digital, encrypted communication.
It's happening slowly in the US. Biggest reason it's slow is "defense/law enforcement" suppliers and their markups for the industry which add cost and causes departments to delay as long as they can until someone ponies up the money. Not to mention there is new IT overhead in managing the configuration on said radios and while bigger agencies have the internal team to do it, smaller agencies don't have that benefit.
Unlike say France where there is one singular police force that can share resources, in the US there's hundreds of them in just one state.
Don't get me started about ambulances. Because this is #amerika, there are thousands of private ambulance services. Getting them on board with encrypted comm isn't really going to work given they begrudgingly paying most EMTs minimum wage.
>Mobile phones continue to work during a disaster as long as the base station batteries hold out and that’s with cheap base stations serving very large amounts of idiot users
Maybe? There are numerous accounts of inoperable service when incidents like 9/11 or the Boston bombing occurred. So in cases where the system is flooded, it might be a crap shoot.
The only way this would work is with dedicated frequency and possibly infrastructure, similar to FirstNet.
Mobile phones are not reliable for natural disaster situations, because of channel loading characteristic on the control channel, LTE may survive better.
> Mobile phones continue to work during a disaster as long as the base station batteries hold out and that’s with cheap base stations serving very large amounts of idiot users using the cheapest of the cheap handsets limited by regulations.
Why "idiot"? Are they idiots for using cheap handsets? I really can't tell why you added that word.
Trunked radio systems, as used by police, firefighters and EMS worldwide are not peer-to-peer. You transmit to the trunk, it relays to people in your selected group. All radios rely on a control signal from the trunk for determining where to send and when to listen.
All our 'digital' signals are ultimately transmitted over some analog channel. "Digital" is an abstraction. There's no reason you can't encrypt a radio transmission without relying on intermediaries to relay it as in a mesh network.
My municipality is using encrypted trunked P25 for police comms now. Seems better than LTE for reliability at least. Just a simple digital voice codec and optional encryption system ontop of the traditional trunked radio systems. Compression means you can wedge many more streams out of it too.
I have mixed feelings about the encryption though, especially with police data, generally I feel much of that data should be public with a more limited amount which should not. It's good to make public "there's a drunk driver on this street, right now", you just might not need to share their plate with the public.
That isn't PII in the sense that it's protected at that point.
It's not PII when a police officer says your name and address. It's only protected health information when someone who is governed by medical privacy laws does it, like a nurse.
Oh, if you're not talking about medical data, then yes, personal identifying information is everywhere in America society. Counties have public lists of property owners, states have public lists of business owners, almost all court proceedings have online dockets and public access, etc etc. Just take a walk to city hall or where the local area keeps records and you'll find PII on basically everyone who lives there.
I saw Balint Seeber give a fascinating talk about discovering the use of unencrypted pagers in hospitals, with messages full of personal information available too anyone with an SDR (and his particular brand of persistence to work out how to discover the modulation/encoding to get the text out.)
It's mentioned in passing in this talk description from 2011:
I feel weird saying I've "discovered" or "found" something that's merely new to me. I left "uncovered" untried, because I don't consider myself that clever.
I only worded it like that because of the way he described his long and often unfruitful efforts over several years before he finally hit upon the right keywords and documentation to describe what he was seeing over the air...
That's a confusion born of not spending enough time hanging out with sneaky folks doing shady shit.
I remember that in the 90s, the local PD had learned that some folks would listen to scanner traffic to figure out when their rowdy parties were going to be broken up, so everyone could hide and make the scene look calm by the time officers arrived. So they stopped using voice radios for this sort of call, and instead switched to their Mobile Data Terminals.
Which was even better, because MDTMON had an alert feature where it'd sound the PC speaker when your keywords (say, your street name) showed up in the decoded traffic. That freed up one partygoer from scanner duty!
POCSAG/FLEX were even more of a treasure trove, but that's a story for another day.
I'm a hospitalist (internal medicine employed by a hospital). I'm fairly certain that what they are intercepting are pages from the ER to admitting or consulting physicians.
In the US, this would be a HIPAA violation but I'm not sure of the Canadian law. We still use pages at my hospital, but no PHI, only room numbers in the ER for admissions are paged and then you log into the EMR. We use HIPAA compliant texting apps to communicate PHI.
HIPAA is such an awesome law. I have to work with it daily as an engineer, and I'm continually amazed that the US government requires so much security. Normally the US is extremely hands off when it comes to privacy and security. Congress almost never passes laws that have such far reaching scope. And HIPAA actually has teeth, with significant penalties for companies who don't comply (and of course people can sue as well over the violation).
I think aspects of it could definitely be improved. I see HIPAA violations at doctor's offices all the time - but they are usually still fairly minor, and doctors and nurses grow concerned quickly as soon as you mention a possible violation.
Yes, I am fond of HIPAA too. One project I worked on was physical infrastructure for a healthcare company.
One cool thing I remember is that the phone lines within the building had to be in armored cable, so they couldn’t be tapped without leaving a huge mess.
You can read the technical safeguards. They are pretty reasonable and not nearly that intense. There is definitely a cottage industry of security/compliance consultants giving maximalist interpretations to bill more hours, but there are also shops doing pretty average modern IT best practices (individual user accounts, TLS, screensaver passwords, etc) that do fine.
The biggest exemption was for us working on the systems.
The idea that whispering in the waiting room was an important attack vector while whitelisting us IT people is hilarious. (For lack of a better adjective.)
For a middle ground example:
My SO did clinical trials at the local research hospital. She went to ANOTHER hospital for some surgery, because she knows her coworkers look up people's records, and she didn't want them knowing about her troubles.
Like the systems I created, of course there were access logs. But like our systems, no one ever reviewed or audited them.
I worked on some exchanges in the mid-2000s. 5 exchanges, 80 orgs, 100s of data feeds, including govts.
We had to do HIPAA "training" every year. It was just corporate CYA.
Those of us working on the systems resigned ourselves to the fact that disclosures were inevitable. Even if we could technically secure stuff (encrypt all data at rest, PKI for all access, RBAC, audits, etc), we'd never be able to get all our partners up to speed.
How are you fond of this law? It's so obviously a pointless waste of money. As a fellow engineer who has worked with it I cant wait ffg or its repeal - and I see that coming.
I'll bite. What would be the options for keeping our PHI from being freely shared everywhere? You have to know that Facebook would love a piece of that.
First of all, I don't think HIPPA actually prevents PHI from being shared. If Facebook were to become a business partner of a hospital, and maintain HIPPA compliance themselves, hospitals can share data with Facebook.
To tackle the problem HIPPA tries to solve, that is making sure that data sharing is secure and only with the intended parties, I want to see stronger enforcement of liability. Granted, the US doesn't have a great track record on that, seeing Equifax get away with what their doing. But I think that's the system that needs to be improved.
Instead of government dictating what "secure" means, different approaches can be experimented with on the market with strong enforcement of liability providing the necessary incentives.
Then Facebook would become a Business Associate and would have to protect information in a variety of very strict ways and could face a fine of up to $10,000 per patient record, per violation. If they had 25 million health records and decided to target advertising to those people on two separate occasions, then they are liable for a fine of up to $500 billion. So sure, let Facebook get into health, it wouldn’t take long for them to run afoul of the law given their move-fast-break-things attitude.
Is targeting advertising based on health data a violation if the advertiser is a business associate and is not directly exposing the data to any non-covered entities?
I work for a healthcare software company (and previously worked for a healthcare system). In my experience, these regulations tend to be high-level: they're less interested in exactly how you meet the regulations, as long as you're meeting them. They focus much more on business processes than low-level technical details. I've found that, for the most part, common-sense industry-standard practices go at least 90% of the way toward meeting the regulations.
What about communications between the ambulance and the receiving ER? Those are unencrypted digital voice here in San Diego. I've heard names, DOBs, medical histories etc being blasted out over their repeater.
HIPAA allows us (I'm a medic) to broadcast patient information for treatment related purposes. It's useful for us and hospitals because they can pre-register time sensitive patients and pull up history/previous test that can be extremely important for STEMIs/strokes/etc.
They're a lot more resilient than the cell phone network, especially if there's a mass disaster.
They tend to work better in basements or deep in buildings.
They don't get annoying amber alerts (important in Canada where they're all sent as Presidential/ICBM), constant "IRS" or "Dell" call spam from your area+exchange code (ie: lookalike numbers that seem internal to your hospital) or SMS spam.
These are excellent features if you're on-call, but must respond to anything.
Happens in Australia too, probably the easiest signals to find (i.e. strongest) using my $10 RTL-SDR besides broadcast FM. Plenty of names, emails, addresses, phone numbers, medical conditions, security alarms being triggered etc. Other interesting finds are SCADA messages, some from Pizza Hut etc. Regulations here allow reception as long as you don't take any action based on what you receive so that's nice.
Key management between emergency services remains a hard problem. Paramedics often don't have hands free to type information into a terminal, so they use radio, which means keying their handsets, and then classifying the keys for different security levels. e.g if you need to talk to SWAT and other teams, you are going to need a separate channel and key. Police have an interesting case with that as well, where techs that use or distract their hands during stops are a safety issue.
Military communications for a given mission are mainly all in the same security domain so key management is relatively easy. Co-ordinating key management for daily use between police forces, ambulance services, hospitals, fire stations, and other responders is non-trivial.
I do suspect the best possible privacy solution would be a regulation that made personal and health information acquired without explicit consent inadmissible in a civil court case, regulatory tribunal, or other government process, and heavy fines for using it for insurance and credit and licensing other decisions by regulated/protected businesses. Not so much GDPR regs, but just removing legal leverage from the data.
We still need technical security and privacy controls, but creating legal liability for the people who hold and exploit it is the real solution. Agencies can't hide behind, "machine learning," and "random checks," for targeting people. There will be some hard cases, but if you use PII/PHI without explicit informed consent and collection, use and disclosure for specific purposes, you should be handicapped legally, imo.
I upvoted you, but want you to consider how there can be dramatically worse bad actors than the government or legitimate companies (the insurance/credit/licensing stuff you mention): people end up in the hospital sometimes because someone else wants to hurt them. Simple example: spousal/partner abuse. More extreme but easily plausible in Vancouver: gang violence.
If I failed at a hit, and I can watch the POCSAG traffic and see the that the guy I tried to take out is in a coma (and not dead), and is in room 404 at Vancouver General Hospital, that's very valuable information.
I've found with most hospitals that finding out a patient's location is as simple as asking.
Maybe some people get identified as "VIPs" and it's not so easy. Dunno if every random gun-shot victim makes that, but if your "hit" was more an "accidental" car wreck, you can probably ask and find out where they are.
You can do better than that. Put on some blue scrubs and carry something complicated looking. Look hurried. You’ll be admitted into almost any healthcare facility.
You're both right, and healthcare definitely has a lot of fun threat modelling exercises you can do. I suppose the big thing that the pager monitoring stuff gives you is a live stream of some significant fraction of all the patients coming through, not just a specific target.
I had read, and maybe I'm misguided, that the law in the US was that you could listen to this stuff as an experiment with your amateur radio license and mess around with all the decoding you wanted... It was just illegal to disclose to anyone anything you heard or read. Actually I don't think the amateur license may have had much to do with it at all, but anyway... I played with it for a minute and mostly saw automated messages about housekeeping needs, but I did occasionally see names, some kind of ID number but I don't think it was a SSN, and sometimes little "love you" notes and quite a lot of "please call me back". I got pretty bored with it pretty quickly that day.
The only thing I can think of that sounds even remotely close to what you're describing is when Congress made it illegal [0] to listen in on cellular phone calls a few decades ago but, notable, pager traffic was specifically excluded from the law.
Until listening to cellular calls was made illegal, it had always been legal (AFAIK) to receive any transmissions on any frequency (the reasoning was that the signal was being broadcasted into, e.g., your home).
AFAIK in Sweden it is legal to listen to the Police but not legal to disclose sensitive stuff. Of course, since a few years all communication is encrypted so it's not relevant anymore.
When I was young an inspector came to the door to see if we had a tv, as we had no licence. A parent said to the inspector that yes, we did, but it’s unused and boxed in a spare room.
They came in and inspected it and put a bag over the power cable and taped it on. Solved.
This was 1980s New Zealand.
I am not too surprised. A lot of emergency services use analog radio. Pretty much works with all radios, and no setup before hand unlike with encrypted radio. No need to negotiate things with other agencies either.
* In Canada, we have jurisdictional privacy law. In this case BC FIPPA. This is different than in the US where the few privacy laws that exist are mostly sectoral, such as health (HIPPA). https://www.oipc.bc.ca/guidance-documents/1466
* In Canada, only only one party has to agree to agree to record a telephone conversation.
* In Canada, it is not illegal to have a scanner and listen to phone calls even, hence the need to encrypt them faster up here. POGSAC decoding was done in the middle of the 90s with my local #2600 group. It even easier now with RTL-SDR. https://twitter.com/cqwww/status/1171113297011019781
* I've been in two states of emergency in my life. Cell phone switches go down in minutes. You want to have your amateur radio licence, an amateur radio, and battery, on standby for when this happens. Practice setting up a data connection to is, as the internet goes away quickly as well. Get your ham radio licence, it's free, and you have your call sign for life. It's a nerdy thing to have except in an emergency, where you quickly turn to hero if you're the only person in your area capable of communicating with emergency services.
I wonder how much security issues relate to the data formats that are often used to exchange medical information. I believe northern American nations mostly use HL7, while European countries tend to prefer Dicom.
HL7 was around since 1987, while Dicom is older than TCP/IP I believe. I think requirements for data exchange fundamentally changed in the last 30 years and at least Dicom is just horrible to handle.
True, you could upgrade it with putting everything in a crypt container, but that is just a quick fix.
This is a case where I fully support software engineers that say that we need to fully reimplement these formats. It is good to have standards here, but many manufacturers of medical devices have their own proprietary adaptations anyway. It shouldn't mean to throw everything learned from these formats away. Just maybe it should all be reevaluated.
HL7 is just a text format. It doesn’t say anything about how the data is transmitted (which should always be encrypted these days)
Yes, there are newer standards, specifically FHIR (OAuth authenticated API). But why switch over to FHIR when HL7v2 works really well? Everybody in the medical industry supports this standard, and it’s super easy to work with once you know what you’re doing. It’s also arguably more interoperable than FHIR, because the sending and receiving parties don’t need to fully agree on the spec (like they must for an API). For HL7 messages, there’s a layer that sits in between called an “interface engine” that can modify messages, which opens up more capability with less development and coordination.
I don't really think any replacement standard could be fundamentally much better. Sure, you could resolve the fact that DICOM is so old that it predates widespread adoption of IEEE 754 and so does its own thing there, or minor oversights in the standard. But the fact remains that the standard is a ~5000 page monstrosity designed to cover virtually anything and there's no regulatory certifying body so nothing prevents vendors from failing to properly implement the standard (which is virtually impossible to do given that it's so damn huge and also not always entirely clear). Any standard that aims to be similar in scope and lacks enforcement will, I think, inevitably lead to a horrendously inconsistent ecosystem.
HL7 is just text, if you're not sending it over SSL then it's arguably easier to decipher than a simple webpage when looking through the packets!
The current thing is called FHIR though and instead of sending text HL7v2 messages directly to a port over SSL now we can use a web service, HTTPS, and exchange JSON messages.
Oh really? I always thought it would mainly be an image container like Dicom, which is in practice abused to exchange text just as well. Haven't had the pleasure to work with HL7, I was just tormented by Dicom and have always been told that HL7 is just the American version of it.
All of my legacy interfaces for an EHR vendor are HL7v2 based. It's pretty simple to work with but our lack of external libraries leaves me tinkering with opening ports and reading data manually too much.
The beginning of a HL7 (2.4) message with the header and patient ID node might look like this (this example looks like an ORU^R01 inbound lab result)
pole around 929.600mhz and you'll eventually find a shitload of phi in most metro areas. you'll probably also find a ton of industrial traffic, and the occasional weather and sports scores.
it's also not far fetched to think it's used as a means to broadcast to/from field operatives. most pager lines offer an smtp gateway, so a bit of "spam" could have a intended recipient anywhere in the region, or possibly country based on network.
I was just about to buy an SDR rig to play around with, so the timing of your comment is wonderful. I have been looking off and on for a year now and there are just too many choices. I have my tech license, but then I had two kids and haven't been able to go for general yet. I've been bored not getting on HF, which is where I hear all the "action" is. So what SDR would you recommend I get if I also wanted the ability to transmit HF one day?
I don't think it's economic to buy an SDR rig with the intention of maybe transmitting on HF one day. Most HF digital modes are audio-jack based, meaning that you connect any radio, particularly a used one that you can get cheaply on eBay, to your computer via a line-in/line-out connection. You do not need any fancy SDR stuff going on; popular digital modes like FT8 put the entire band in the space of one normal voice conversation. So no special equipment whatsoever is necessary to use digital modes.
One time I had my audio misconfigured to use my microphone instead of the line-in, and I had my radio disconnected from the computer to tune the antenna. As I was listening through the radio's built-in speaker, my computer properly decoded a number of FT8 transmissions... through the microphone. You really don't need anything expensive or interesting to do SDR stuff on the HF bands.
People that buy the "real" ham SDRs are doing things like contesting, where they really need to see entire bands, or even multiple bands, at once. And they're paying over $10,000 for that.
The cheap "hacker" SDRs are largely inadequate for ham work. They are OK, but not great. They don't have proper frontends, so transmit a lot of out-of-band garbage. They don't have niceties like an antenna matching network, or even a power amplifier. I have a KX3 which has a maximum transmit power of 12W. But these hobbyist boards will max out in the mW range. It is adequate for some digital modes, but even then, it's pretty low. I typically run FT8 at 1-3W. So generally, would not recommend these for someone new to the hobby. Buy an RTL-SDR stick for $20. Listen to some stuff. When you get bored, find a proper HF radio in the $300 range and use that. If you then decide you want to spend $10,000 on the hobby, then you can start looking into the SDRs ;)
Fully-fledged SDR transceivers are available from FlexRadio and Apache Labs and are hugely flexible and capable, but you'll spend $3000+ for the privilege. Apache Labs are the more hacker-friendly option.
A much less costly (but still highly flexible) option is to combine a high-performance SDR receiver from Elad or SDRPlay with a conventional transceiver. A T/R switch like the MFJ-1708SDR will protect your SDR receiver when you key up, while CAT control allows both rigs to be operated from the same software.
In the seattle area, there's still a ton of hospital POCSAG traffic, but no PHI as far as I can tell. Its usually stuff like "go to room 314" or "call 206-blah-blah"
Hospital staff. Patient names, hospital record numbers, medication names, dosage amounts, detailed descriptions of their issues (which can be graphic).
While the findings are solid and the denial is despicable corpspeak, I fear the data is still way safer this way than letting the same kind of contractors build a "secure" app and then finding all that data neatly ordered in an open S3 bucket or MongoDB a year later.
Nobody‘s gonna put up an antenna over years collecting all this noisy stuff.
On top, my condolences for the hospital IT staff having to exchange thousands of real pagers with real doctors, and train them again over the course of several months, all for a pretty synthetic finding that took them a couple of hours.
Builders vs. breakers all again... Well, you got your attention, guys.
Going over the timeline, I find these things very odd:
> 2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health Privacy Office (VCH-P) with information about the breach.
> 2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates the pager breach. This meeting was not recorded and this meeting is never followed up on.
> 2019-07-23: During an interview with journalist Francesca Fionda, on Open Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses the pager breach.
[...]
> 2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information and Privacy Commissioner for B.C. (OIPC), offering to help aid any investigation they wish to undertake in regards to this data breach.
They waited nine months before contacting the provincial Privacy Commissioner? They contacted journalists before the OIPC?
There is no official way for 3rd parties to make breach reports to OIPC-BC (nor is there a legal requirement for VCH to report to them) - it was only after Francesca raised the issue during a meeting with the commissioner(regarding breaches in general) we were informed they would be interested in this, and were given an avenue to contact them in a way that an investigation might be authorized.
> I've been asked why there are some big gaps in the timeline early this year, and that was mostly because I was working on the research around the cryptographic flaws in the Swiss evoting system. We get a lot done at @OpenPriv
but we are limited!
edit: to be fair, it should be possible to encrypt some of the traffic, but things should fail open, not closed, or people will die.