Unencrypted pagers a security risk for hospitals, power plants

For most of us, pagers went out when cell phones came in, but some companies are still using them and when the messages sent without encryption, attackers can listen in and even interfere with the communications

bullseye hospital healhcare
Credit: Thinkstock

For most of us, pagers went out when cell phones came in, but some companies are still using them and when the messages are sent without encryption, attackers can listen in and even interfere with the communications.

According to two new reports by Trend Micro, pagers are still in use in hospital settings and in industrial plants.

Stephen Hilt, Trend Micro's lead researcher on the project, said they don’t have a concrete percentage on the number of encrypted messages.

"However, there were very few pages that were actually encrypted," he said.

That doesn't have to be the case.

"Depending on the paging system, it might just be a functionality configuration setting that they just turn on," said Ed Cabrera, chief cybersecurity officer at Trend Micro. "But some organizations have paging systems that are not up to date and may require updating the actual systems."

Cabrera admitted that pager messages might not be the lowest-hanging fruit for drive-by cybercriminals.

But they can offer quite a great deal of sensitive information that can be harmful in the wrong hands.

"Criminals can get reconnaissance information to develop social engineering attacks," he said. "They can find out which systems are going under repair, which systems are having difficulties, and get information about employees of these organizations."

Out of 55 million messages that Trend Micro analyzed during the first four months of this year, more than 800,000 contained email addresses, more than 500,000 had names, a quarter million had phone numbers, more than 200,000 had other identifying information such as birth dates or medical reference numbers.

Industrial plant messages included information about facilities, alerts about equipment, and other sensitive data.

All it takes to listen in is a $20 dongle, Cabrera said. And once the attackers are tuned in, they can also send their own messages.

For example, if a security administrator gets an alert that there's a problem with a server, an attacker can send a follow-up message that it was a false alarm and they don't have to come in after all.

He advised organizations still using pagers to upgrade to encrypted systems with asymmetric keys, and to make sure that there's an authentication system in place.

Simply getting rid of pagers entirely isn't always an option.

According to Tyler Moffitt, senior threat research analyst at Webroot, pagers are still needed for consistent, reliable communications that work over greater distances, through steel and concrete, and in emergency situations when cellular and Wi-Fi communications can fail.

"The power consumption to send over greater distances is also 35 times more with cell versus pager," he added. "Pager messages are also sent from multiple towers up to 300 feet tall at the same time to satellites while cellular is only one tower, only 90 feet, connected via wireline telephone systems."

Hospitals have additional concerns.

According to Trend Micro, some mobile phone signals can interfere with medical equipment. In fact, Australia, Canada, Japan, and some European countries prohibit cell phone use in some hospital areas.

This story, "Unencrypted pagers a security risk for hospitals, power plants" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.