An old technology is exposing health care, critical infrastructure, and other industries to new cybersecurity problems, as a recent Trend Micro survey finds that pagers can cause vulnerable points for hackers to extract personal information.
“In this paper, we are again surprised by the amount of unencrypted information that is readable in clear text, by the content of these messages, and by the wealth of information that is transmitted through the pages we saw,” Trend Micro senior threat researchers Stephen Hilt and Philippe Lin wrote in the study.
According to Ed Cabrera, chief cybersecurity officer at Trend Micro, most people are surprised that pagers are even still in use in many industries.
“It’s possibly being overlooked or being considered a minor risk,” said Cabrera. He added that often industries such as health care, industrial environments, critical infrastructure, universities, and business enterprises use pagers when cellphone or Internet service would be bad or unavailable.
The study found that much of the data transferred across pager systems–which included details about personal schedules, transcribed voicemails, and frequency of conversations–is rarely encrypted and offers hackers an easier means of reconnaissance against an organization.
“The biggest risk of this type of vulnerability is the reconnaissance by threat actors,” said Cabrera. “The more they know about an intended target, the more likely they are to operate an effective attack.”
In the course of this study, researchers found that health care had the most prevalent problem with pager vulnerability, followed by IT-based systems and industrial systems.
Cabrera added that the results of this study reveal the dangers inherent in unencrypted systems, and that adding encryption to established pager systems is going to be the most likely solution for many organizations.
“A big part of all of this is cost,” Cabrera said. “Pivoting to encryption is probably the most effective method in terms of cost.”
“We believe that organizations or facilities that are still using pagers should carefully weigh the benefits and the risks of using legacy systems, such as pagers, to communicate confidential information,” Hilt and Lin wrote.
The study recommends that organizations transfer to more inherently secure devices, or that, if they still want to use pagers, enact security guidelines to keep information transmitted across these devices secure:
- Encrypt information sent through such devices.
- Apply overall organization security standards to the encryption of pager information.
- Avoid addressing people by name in communications.
- Don’t transmit passwords across pagers.
- Avoid using voicemail transcription services and automated summary systems where possible.
- Conduct thorough security assessments for information transmitted through pagers.