After the attack on several Ukrainian power companies in December 2015, the cyber security of sensitive locations and infrastructure has been under the cosh. But is seems as though their lacklustre performance has seen no improvement, as according to a new report, workers at nuclear power plants, chemical plants, defence contractors and other infrastructure sectors are using pagers from the dinosaur era to transmit messages without any protection and encryption.
This mode of communication leaves them exposed to even modestly-resourced hackers. According to the report, the plant employees have been transmitting information like diagnostics of plants, names, contact details, and other information via pagers, all of which can be used to engineer social attacks very easily.
The new report, from cyber security company Trend Micro, states,
“Since pager messages are typically unencrypted, attackers can view pager messages even at a distance—the only thing attackers need is a combination of some know-how on software-defined radio (SDR) and US$20 for a dongle,”
Trend Micro has been running equipment and software monitoring at various critical infrastructure facilities in the US and Canada for the past four months. The company monitored nearly 55 million pager messages, and they found around a third of them being alphanumeric. Culprits behind heavy pager usage were the automatic alert systems notifying the employees about internal issues.
The report added,
“During the course of this project, we saw multiple systems utilizing pagers for alarm functions. These alarms can leak out information about the buildings’ layout, products in use, as well as other company-specific information that should not be seen by anyone outside the company.”
Other pager messages were written by the employees themselves. And since these pagers don’t use encryption or authentication, any attacker can infiltrate, monitor or even add their own messages into pager conversations without ever leaving any traces of their presence. Enemy state actors, intelligence agencies and terrorists looking into the sabotage facility could misuse the information. But private competitors might also be on the look out to have a sneak peak, as the report reads.
“Any company, especially the ones who are transmitting vital information through pagers, must be concerned once they realize that they are unknowingly transmitting vital information about their facility operations.”
Trend Micro at the end of the report recommended that any company using pagers must take sufficient encryption measures, add authentication, and also audit any possible leakage of information when using an email-to-pager system.