POCSAG is still here but is 2021 still Pager-Friendly?

Back in 2000, we used to collect pagers' data for fun due to the fact that we could get interesting data mostly used by police, ambulances, fire department and also other funny private messages sent to people (like Alan). Later in 2010 I read about the new regulation for data communication and privacy and how POCSAG data which is used by pagers to communicate, will be encrypted. Since pagers were popular many years ago, and some people may still have one at home, I thought encrypting POCSAG data should be an important high-priority mission.

The idea behind pagers was to send short messages in POCSAG protocol to another person who owns a pager and to inform him about different things. POCSAG?(Post Office Code Standardisation Advisory Group), also known as Super-POCSAG, Radio Paging Code No. 1 or RPC1, is an asynchronous protocol used to transmit data to?pagers. POCSAG stand for the name of the group that developed the code under the chairmanship of the British?Post Office?that used to operate most telecommunications in Britain before privatisation.?

POCSAG and FLEX Protocols

POCSAG is a one-way 2FSK paging protocol, it supports tone, numeric, and alphanumeric data transmission and cannot transmit binary data. POCSAG has three speeds, 512?bps, 1200?bps and 2400?bps. All three use?FSK?modulation. The modulation used is?FSK?with a ±4.5?kHz?shift on the center carrier. The frequency at +4.5?kHz?represents a 0 where the -4.5?kHz?represents a 1.

FLEX is a newer protocol (developed by Motorola in the 90's), it can work with up to 6400 bit/s speed and can use both FSK2 and FSK4. Both protocols are in general very easy, and about 20 years ago PC-decoders were made, that can decode messages from a serial port of sound card (there are no encryption supported, so all messages can be read by anyone).

You can find many articles and videos on how to sniff POCSAG data using different tools such as multimon-ng, MultiPSK, PDW, SDRangel, go2DECODE and more. You can also read more information about the POCSAG protocol. Since most of these tutorials deal with encrypted data, I set the goal in this research to:

• See how common POCSAG data is today
• See how hard would it be to find a relevant frequency with POCSAG signals
• Collect some POCSAG data and decode it
• See if we can find non-encrypted data or other interesting stuff.

Clarification about Radio Frequencies (RF) and Data

POCSAG data transmitted on wide range of frequencies which used by different uses (****). Some frequencies will contain encrypted messages only, while others will contain clear text or mixed messages. Basically anyone with radio equipment can listen to them, however a big part of the data should be encrypted today.

In most countries it is perfectly legal to receive pager messages, as they are plain text unencrypted, but it is illegal to share or act on the information received. In some countries it may be illegal to even set up a receiver. Please learn and respect your local laws before attempting this research.

For legal reason, I will not share with the exact frequencies which I used in this research, however, as I mentioned before POCSAG signals can be found easily on different ranges. For example:

• 25?MHz?- 54?MHz (HF-High/VHF-Low Band)
• 66?MHz?- 88?MHz (VHF?Mid Band)
• 138?MHz- 175?MHz (VHF?High Band)
• 406?MHz?- 422?MHz (UHF)
• 435?MHz?- 512?MHz (UHF High)
• 929?MHz?- 932?MHz (900 Band)

In many regions, the paging frequencies are shared with other radio services, including land mobile two-way radio.?

Hardware

• HackRF One (PortaPack is optional)*
• SMA Antenna
• Laptop (Microsoft Windows OS)

* You can use other SDR equipment which is suitable with the frequency you want to collect the data from.

Phases

VB-CABLE (VBAudio)

1. Install VBAudio cable as Administrator.
2. Click on the sound icon on the taskbar to open the audio mixer and click on the CABLE Input icon.
3. On the "Advanced" tab, set the "Default Format" to: "16 Bit, 48000 Hz (DVD Quality)".

AirSpy (SDR#)

1. Download and install AirSpy.
2. Open AirSpy and set the "Source" to "HackRF".
3. Under "Radio" section, set the "Radio" to "NFM", set the "Bandwidth" to 25,000 and the "Order" to 300.
4. Disable "Squelch".
5. Under "Audio" section, set the "Output" to the "[Windows DirectSound] sound card" interface.
6. Set the frequency and hit the "Play" button
7. Listen to the signal and try to find the right frequency to listen to. Normally, a POCSAG 1200 signal will be sounds like this sample
8. Once you can hear POCSAG signals you may want proceed to the next phase.

PDW

1. Download and install PDW
2. Open PDW, under "Options" -> "Options…" menu, enable "POCSAG Decoding" for all types (512, 1200, 2400)
3. Under "Interface" -> "Setup…" menu, enable "Soundcard", set "Configuration" to "Speaker Out 1" and set "Soundcard" to "#. CABLE Output (VB-Audio Virtual Interface)"

Collect Data

1. On AirSpy, press the "Stop" button.
2. Under "Audio" section, set the "Output" to the "[Windows DirectSound] CABLE Input (VB-Audio Virtual Interface)" interface
3. Hit the start button again
4. Wait for the decoded messages in PDW

Now, AirSpy collects and decodes the data as NFM and maps the sound to the VB-Cable interface. Then, PDW will use the VB-Cable interface as an input interface and will decode the sound of the POCSAG protocol messages. The POCSAG protocol messages will be parsed as POCSAG protocol packets and the message bits of the each packet will be decoded as a text message.

Decoding The Data

We can see that we have collected some clear text messages which are blurred due to privacy laws. If your local language is latin (english characters) you will be satisfied with the results so far :-). However, most countries use the local language for pager messages, so non-latin characters will look weird:

To solve this we can decode the data according to the local language. In my case it is Hebrew (which is also RTL). So I need to encode the message string as (pc1252), and then decode it as (pc682). We can do that using CyberChef for example:

Or we can write a simple python script that will read the PDW's log and will do the work for us:

# -*- coding: utf-8 -*- 
# -*- coding: cp1252 -*- 

import codecs 

with codecs.open(<PATH_TO_LOG_FILE>, 'rb', encoding='utf-8', errors='ignore') as loglines: 
  for line in loglines: 
    if line.rstrip(): 
      eline = line.encode('cp1252', 'ignore') 
      dline = eline.decode('cp862') 
      print(repr(dline))        

Below you can see the result after running the python script. Again, for legal reason, I blurred all the sensitive information again, but I want to give you an example of the type of messages we can still intercept in 2021

Conclusion

During the last 15 years, POCSAG data encryption has been implemented by using encryption systems which use proprietary encryption protocols or other encryption mechanisms such as NOEKEON for example. However the assumption that POCSAG protocol data should be encrypted or not in use at all in 2021 may not be accurate, and we can still find the use of pagers and the POCSAG protocol in different sectors and industries.

When it comes to the decoding part of POCSAG messages, we can use several tools as I mentioned before, most of them also support decoding the three types of POCSAG and also FLEX messages. However, these tools will not be able to decode messages in non-latin characters so we will need to decode the messages using relevant custom encoding.

WARNING

INTERCEPTION OF POCSAG MESSAGES AND RADIO FREQUENCIES ARE PROHIBITED BY LAW IN SOME COUNTRIES. IN MOST COUNTRIES IT IS PERFECTLY LEGAL TO RECEIVE PAGER MESSAGES, AS THEY ARE PLAIN TEXT UNENCRYPTED, BUT IT IS ILLEGAL TO SHARE OR ACT ON THE INFORMATION RECEIVED. IN SOME COUNTRIES IT MAY BE ILLEGAL TO EVEN SET UP A RECEIVER. PLEASE LEARN AND RESPECT YOUR LOCAL LAWS BEFORE ATTEMPTING THIS RESEARCH.