October 26, 2016 By Larry Loeb 2 min read

Pagers don’t get much attention in this era of smartphones and tablets. They are, however, still widely used in industrial control systems (ICS). Pagers are also good backup for everyday communication since they are functional in areas that have poor cellphone signals.

Pagers Keep on Beeping

Pagers came onto the scene during a time when security threats were not as broadly defined as they are today. Back then, security meant simply locking the gate around the facility, not securing radio transmissions.

For this reason, there is simply no such thing as pager security. Messages they receive are rarely encrypted, for example. That means any cybercriminal with a bit of technical knowledge can intercept messages sent to a pager.

That’s just what Trend Micro did. The security firm obtained more than 54 million pages over a four-month span using inexpensive hardware.

No Such Thing as Pager Security

The researchers found messages from nuclear plants, power substations, chemical companies and defense contractors. Semiconductor producers, commercial printing facilities and HVAC companies also leaked what could be sensitive data through pagers, according to the report.

Some messages were indications of malfunctioning critical systems. For example, the researchers intercepted overflow information an HVAC company sent to a hospital on an unencrypted pager.

Passive Intelligence

This type of data collection is known as passive intelligence (PI). PI is information gathering as opposed to active intelligence. PI-rich situations would not require an attacker to make contact with the target’s network to get useful information. Attackers using PI would rather wait and listen to the target, gleaning whatever information they can and then analyzing it before an active penetration test or attack can occur.

Some PI information Trend Micro found included alarm or event notifications, diagnostics information, status updates for a facility, employee names and email addresses, phone numbers and even some IP addresses.

This kind of information is invaluable to a social engineering scammer. SecurityWeek noted that an attacker might use it to move laterally inside a compromised network.

Spoofing Messages

Ars Technica reported that the researchers also found it “trivial to inject counterfeit messages into the paging systems” they had monitored. These fake messages were accepted by systems using both the Post Office Code Standardization Advisory Group protocol and another protocol known as FLEX.

All this goes to show that security leaders of industrial organizations should rethink their assumptions about what actually constitutes security, especially with regard to ICS. Opening up a critical infrastructure system to either PI or spoofing doesn’t seem like the safest approach.

More from

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today