Unencrypted pagers a security risk for hospitals, power plants

For most of us, pagers went out when cell phones came in, but some companies are still using them and when the messages are sent without encryption, attackers can listen in and even interfere with the communications.

According to two new reports by Trend Micro, pagers are still in use in hospital settings and in industrial plants.

Stephen Hilt, Trend Micro's lead researcher on the project, said they don’t have a concrete percentage on the number of encrypted messages.

"However, there were very few pages that were actually encrypted," he said.

That doesn't have to be the case.

"Depending on the paging system, it might just be a functionality configuration setting that they just turn on," said Ed Cabrera, chief cybersecurity officer at Trend Micro. "But some organizations have paging systems that are not up to date and may require updating the actual systems."

Cabrera admitted that pager messages might not be the lowest-hanging fruit for drive-by cybercriminals.

But they can offer quite a great deal of sensitive information that can be harmful in the wrong hands.

"Criminals can get reconnaissance information to develop social engineering attacks," he said. "They can find out which systems are going under repair, which systems are having difficulties, and get information about employees of these organizations."

Out of 55 million messages that Trend Micro analyzed during the first four months of this year, more than 800,000 contained email addresses, more than 500,000 had names, a quarter million had phone numbers, more than 200,000 had other identifying information such as birth dates or medical reference numbers.

Industrial plant messages included information about facilities, alerts about equipment, and other sensitive data.

All it takes to listen in is a $20 dongle, Cabrera said. And once the attackers are tuned in, they can also send their own messages.

For example, if a security administrator gets an alert that there's a problem with a server, an attacker can send a follow-up message that it was a false alarm and they don't have to come in after all.

He advised organizations still using pagers to upgrade to encrypted systems with asymmetric keys, and to make sure that there's an authentication system in place.

Simply getting rid of pagers entirely isn't always an option.

According to Tyler Moffitt, senior threat research analyst at Webroot, pagers are still needed for consistent, reliable communications that work over greater distances, through steel and concrete, and in emergency situations when cellular and Wi-Fi communications can fail.

"The power consumption to send over greater distances is also 35 times more with cell versus pager," he added. "Pager messages are also sent from multiple towers up to 300 feet tall at the same time to satellites while cellular is only one tower, only 90 feet, connected via wireline telephone systems."

Hospitals have additional concerns.

According to Trend Micro, some mobile phone signals can interfere with medical equipment. In fact, Australia, Canada, Japan, and some European countries prohibit cell phone use in some hospital areas.

IDG Insider


« Hewlett Packard Enterprise and Mirantis cut OpenStack staff


5 ways to reduce bias in your hiring practices »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech


Do you think your smartphone is making you a workaholic?