Pagers don’t get much attention in this era of smartphones and tablets. They are, however, still widely used in industrial control systems (ICS). Pagers are also good backup for everyday communication since they are functional in areas that have poor cellphone signals.

Pagers Keep on Beeping

Pagers came onto the scene during a time when security threats were not as broadly defined as they are today. Back then, security meant simply locking the gate around the facility, not securing radio transmissions.

For this reason, there is simply no such thing as pager security. Messages they receive are rarely encrypted, for example. That means any cybercriminal with a bit of technical knowledge can intercept messages sent to a pager.

That’s just what Trend Micro did. The security firm obtained more than 54 million pages over a four-month span using inexpensive hardware.

No Such Thing as Pager Security

The researchers found messages from nuclear plants, power substations, chemical companies and defense contractors. Semiconductor producers, commercial printing facilities and HVAC companies also leaked what could be sensitive data through pagers, according to the report.

Some messages were indications of malfunctioning critical systems. For example, the researchers intercepted overflow information an HVAC company sent to a hospital on an unencrypted pager.

Passive Intelligence

This type of data collection is known as passive intelligence (PI). PI is information gathering as opposed to active intelligence. PI-rich situations would not require an attacker to make contact with the target’s network to get useful information. Attackers using PI would rather wait and listen to the target, gleaning whatever information they can and then analyzing it before an active penetration test or attack can occur.

Some PI information Trend Micro found included alarm or event notifications, diagnostics information, status updates for a facility, employee names and email addresses, phone numbers and even some IP addresses.

This kind of information is invaluable to a social engineering scammer. SecurityWeek noted that an attacker might use it to move laterally inside a compromised network.

Spoofing Messages

Ars Technica reported that the researchers also found it “trivial to inject counterfeit messages into the paging systems” they had monitored. These fake messages were accepted by systems using both the Post Office Code Standardization Advisory Group protocol and another protocol known as FLEX.

All this goes to show that security leaders of industrial organizations should rethink their assumptions about what actually constitutes security, especially with regard to ICS. Opening up a critical infrastructure system to either PI or spoofing doesn’t seem like the safest approach.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for…