Updated: Dec 28, 2022
Welcome back, my aspiring RF hackers!
Although few people still use pagers, they were once a common communication device used by many industries to notify employees, contractors and others of urgent information. Pagers are a wireless telecommunication device that sends and displays alphanumeric and voice messages.
These pagers, once the state-of-the-art mobile communication system, are part of paging system that includes fixed transmitters and mobile users. Some of these systems are very low-power and short range and others can be nationwide.
Pagers use high frequency radio signals that can travel long distances and penetrate walls that are often impenetrable to cellphones. Because of this, pagers are still used by 80% of hospitals, their last major market.
Our software defined radio is capable of picking up these signals and with a couple extra pieces of software, we can decode and read them, even confidential emails.
Step #1: Open HDSDR
The first step of course is to connect your RTL-SDR and open your HDSDR software as seen below.
Step #2: Install Virtual Audio Cable
In order to decode the signals from the pager system, we will need decoding software. To send the audio signals from your RTL-SDR to the decoder, we need a virtual cable. This cable sends the audio signals captured by the RTL-SDR to the decoder. You can download this virtual cable at the URL below.
The web page of the virtual cable software appears above. Click and download the software to your system and unzip it.
Now, open the directory you where unzipped it and you should see something like the screen below.
Select the appropriate setup for for your system. As I'm running a x64 system, I setup the VBCABLE_Setup_x64.
Make certain to right-click and run VBCABLE_Setup as Administrator.
This opens a screen like that above. Click on the Install Driver button.
Step #3: Install Decoding Software
Next, we need to install the decoding software. Pager data is sent as audio signals that must be decoded to understand the message. You can download PDW at the link below.
This link opens a page like that below. Click and download the latest stable release, PDW v3.12.
Make certain to install the slicers driver as well.
When PDW opens, you should see screen similar to that below. Make certain to set the monitor to POCSAG/FLEX.
Click on the Options tab and set the options like that below. Click OK.
Now, click on the interface tab. This opens a window like that below.
Make certain to set the Soundcard Configuration to "Custom", the Sample Rate to 44100, and the Soundcard to "Cable Output(VB-Audio Virtual)".
Step #4: Find the Proper Frequency to Listen On
The next step is to find the proper frequency to listen for pager traffic. This will vary by country and in some cases by community (simply do a Google search for the frequencies that pager traffic uses in your country). In the US --where I reside--the Federal Communication Commission determines the frequencies of nearly every radio signal.
According to the FCC's website;
Commercial paging operates in the 35-36, 43-44, 152-159, and 454-460 MHz bands (sometimes referred to as the "Lower Band") and the 929 and 931 MHz bands (sometimes referred to as the "Upper Band") (refer to band plan). Two types of commercial paging licensees operate within these bands, common carrier paging (referred to as CCP or 931 MHz) and private carrier paging (referred to as PCP or 929 MHz).
Let's try to intercept pager traffic at the "Upper Band" or private carrier paging at 929Mhz. Simply set the frequency of your HDSDR at 929Mhz and watch for traffic in this range.
The signal may not be exactly at 929Mhz, so watch the spikes in the waterfall to determine the likely frequency being used in your area and adjust the frequency accordingly.
Step #5: Decode the Data
Now, listen on the pager frequency with your HDSDR which them pipes the output to PDW through the virtual cable. Be patient, you may not see anything at first, but eventually you will see some pager traffic like below.
Interestingly, this pager traffic was from Florida and includes confidential emails. This is interesting because I reside 2000 miles (3200 km) away in a remote location in the Rocky Mountains in the Western US.
As you scan these messages, the sender references a patient, Jacqueline Landrum. Jacqueline Landrum is 70 year old woman in Orlando, Florida.
It also appears that some of the data has been corrupted or misread by the decoder. This can likely be remedied through further refinement of the filters.
Software Defined Radio is the leading edge of information security. Even with an inexpensive RTL-SDR we are able to intercept confidential messages and emails sent to pagers.
In future tutorials in this series, we will look to intercept police signals, satellite signals, cell phone signals (GSM) and, eventually, I will show you how to hack many of these signals through replay and other attacks.
To learn more about SDR for Hackers, attend the SDR for Hackers training at Hackers-Arise or purchase the videos in our online store.