Enterprise pagers are a source of critical information leaks.

After the Ukrainian energy infrastructure of Ukraine’s industrial infrastructure in Ukraine, Russia and other countries was hacked last December , more attention was paid to the problem of protection against cyber attacks. True, vulnerabilities in information protection remain, and there are quite a lot of them. Some potential ways of gaining access to important resources of industrial companies, nuclear power plants, factories and plants may seem very unusual. For example, pagers. These primitive devices generally do not use encryption, which makes them vulnerable to intruders.

Through pager channels, employees of companies send and receive important data related to the diagnostics and technical characteristics of enterprises' equipment. In the same way, often, other sensitive information is also transmitted, including the names of employees, the company's internal telephones, and sometimes account information.

“Since pagers do not encrypt the transmitted data, an attacker can receive information from these devices remotely. All that a cyber spy needs to get such data is a software-defined radio system and US $ 20 for the dongle itself, ”a Trend Micro statement said.
')
Experts of the company made such a conclusion after searching for possible ways to obtain closed data of enterprises by crackers. This work was carried out for four months at once in several enterprises in the USA and Canada. In total, Trend Micro experts checked about 55 million pages of stored pager messages, where about a third of the messages consisted of letters and numbers. Other messages were simply numbers or a call tone for an employee.

In some cases, employees of companies received notifications from the security systems of enterprises that contained information about the incident. For example, these are notices of the failure of heating, ventilation, and other infrastructure elements of hospitals and industrial enterprises. In one of the cases, a secret information about the important parameters of the production systems was regularly sent to a pager employee of the largest chemical company. It would be superfluous to say that this data was also transmitted in the open form.

“During the project implementation, we saw various systems in enterprises where pagers were used as a tool for notifications. But such systems can be a source of data leakage, including critical information about the configuration of the production system, company products, etc., ”the report says in Trend Micro.

A similar situation was observed by Trend Micro experts even at nuclear power plants, where the data transmitted to the pager contained information about such problems:

• Reducing the speed of pumping water;
• Leakage of water, steam, coolant;
• Fire warning;
• Loss of communication with the backup system;
• Reports of injured employees;
• Information about the location of critical equipment;
• Radioactive pollution without threat to human health.

The report of the company, in particular, states the following: “We were surprised that the unencrypted messages that come to the pagers of employees of large industrial enterprises contain such important information. We are talking about power plants, chemical plants, defense companies, plants producing semiconductors. These unencrypted messages are a possible channel for passive surveillance by intruders. ”

Pagers use neither encryption nor user authentication — nothing that can be considered data protection. Data is transmitted in the clear. Having received the message, an employee of the company usually does not know who sent it - and it is simply impossible to verify the reliability of the source.

In some situations, information security specialists at Trend Micro found it difficult to understand what the message on the pager was about. But for the attacker, who is interested in all sorts of information about the company being monitored, all this may be of considerable interest. According to the rules, a special regulator, North American Electric Reliability Corporation (NERC), monitors companies in the US energy complex. This organization has the right to fine those energy companies that poorly protect critical data, thereby violating security requirements. There is a similar regulator in the chemical industry.

After examining the situation with data encryption in enterprises of state importance, information security experts ask a logical question: “Why do communication programs like WhatsApp are better protected from hacking than notification systems that work at nuclear power plants and other enterprises of similar importance?”. This question can still be called rhetorical, but a solution to this problem must be sought now.



According to the employees of the enterprises themselves, completely get rid of pagers will not work. The fact is that in some situations it is required to send messages to employees in places where there is neither cellular communication nor the Internet. Engineers of SCADA-systems working at nuclear power plants and enterprises of state importance should be available 24/7. Such employees are given pagers, and the communication system for some of them is satellite. In addition, the problem is not only in pagers, but also satellite phones: many systems of this type also do not use encryption. “When only communication is important, and restoring service or equipment is vital, reliability of communication, rather than safety, is paramount,” says an employee of one of the enterprises.

Trend Micro's recommendation for enterprises where pagers are used - urgently start using encryption and add a user authentication system. In addition, it is necessary to regularly audit all possible sources of leakage of a given enterprise.