In the third and final installment of the “Leaking Beeps” series, Trend Micro’s Forward-Looking Threat Research team reveal the risks posed by pager technology used in IT systems throughout various industries, including, healthcare, ICS, universities and enterprises. Once again, we were surprised by the vast amount of unencrypted data cybercriminals are able to access by hacking into pagers with minimal effort or investment.
There is a common misconception across multiple industries that information leaked from pagers, such as personal conversations or company information, is useless to cybercriminals. Not only is this untrue, but can prove extremely risky and even dangerous for organizations.
Hackers are able to gain passive intelligence, gathering information without making contact with the target’s network, through the leaked pager data, allowing them to build extensive user profiles. The information carefully collected by these cybercriminals can reveal anything from personal data to sensitive company information, giving hackers ammunition to strategically plan a physical or network attack that will be most effective, as well as when to strike.
Industries still utilizing pager technology as a form of internal communication are leaving themselves vulnerable to high-profile attacks. Cyber espionage groups, cybercriminals and even hacktivists could take advantage of the unencrypted information to perform reconnaissance missions, carry out social engineering attacks or cause employees emotional distress by sending fake pages.
The ability to cause such personal or organizational damage comes at little cost for cybercriminals. With the purchase of a $20 dongle and a simple program, the attack scenarios listed above, and more, are all possible. The process of gathering passive intelligence and executing these attacks is incredibly unsophisticated – which means stopping them is just as simple.
It is the responsibility of Chief Information Security Officers (CISOs) to assess all corporate communications and the vehicles with which they’re sent. If pagers are absolutely necessary for internal communication, companies are advised to use an encrypted system with asymmetric keys. There should also be a process in place to authenticate any messages received, as well as audit possible leakage from an email-to-pager gateway. Lastly, employees should not discuss personal information, reference names or share company passwords to avoid leaking sensitive data.
To learn more about the threats posed by unencrypted pager communication, read the full report here.