Enterprise pagers are a source of critical information leaks.

After the Ukrainian energy infrastructure of Ukraine’s industrial infrastructure in Ukraine, Russia and other countries was hacked last December , more attention was paid to the problem of protection against cyber attacks. True, vulnerabilities in information protection remain, and there are quite a lot of them. Some potential ways of gaining access to important resources of industrial companies, nuclear power plants, factories and plants may seem very unusual. For example, pagers. These primitive devices generally do not use encryption, which makes them vulnerable to intruders.

Through pager channels, employees of companies send and receive important data related to the diagnostics and technical characteristics of enterprises' equipment. In the same way, often, other sensitive information is also transmitted, including the names of employees, the company's internal telephones, and sometimes account information.

“Since pagers do not encrypt the transmitted data, an attacker can receive information from these devices remotely. All a cyber spy needs to get such data is a software-defined radio system and US $ 20 for the dongle itself, ”a Trend Micro statement said .

Experts of the company made such a conclusion after searching for possible ways of obtaining the closed data of enterprises by crackers. This work was carried out for four months at once in several enterprises in the USA and Canada. In total, Trend Micro experts checked about 55 million pages of stored pager messages, where about a third of the messages consisted of letters and numbers. Other messages were simply numbers or a call tone for an employee.

In some cases, company employees received notifications from the security systems of enterprises that contained information about what had happened. For example, these are notifications about the breakdown of heating, ventilation, and other infrastructure elements of hospitals and industrial enterprises. In one of the cases, a secret information about the important parameters of the production systems was regularly sent to a pager employee of the largest chemical company. It would be superfluous to say that this data was also transmitted in the open form.

“During the project, we saw various systems in enterprises where pagers were used as a tool for notifications. But such systems can be the source of a data breach, including critical information about the production system configuration, the company's products, and the like ", - stated in the report, Trend Micro.

A similar situation was observed by Trend Micro experts even at nuclear power plants, where the data transmitted to the pager contained information about such problems:

• Reducing the speed of pumping water;
• Leakage of water, steam, coolant;
• Fire warning;
• Loss of communication with the backup system;
• Reports of injured employees;
• Information about the location of critical equipment;
• Radioactive contamination without threat to human health.

The report of the company, in particular, states the following: “We were surprised that the unencrypted messages that come to the pagers of employees of large industrial enterprises contain such important information. We are talking about power plants, chemical plants, defense companies, plants producing semiconductors. These unencrypted messages are a possible channel for passive surveillance by intruders. ”

Pagers use neither encryption nor user authentication — nothing that can be considered data protection. Data is transmitted in the clear. Having received the message, an employee of the company usually does not know who sent it - and it is simply impossible to verify the reliability of the source.

In some situations, information security specialists from Trend Micro found it difficult to understand what the message on the pager was about. But for an attacker who is interested in all sorts of information about the company being monitored, all this may be of considerable interest. According to the rules, a special regulator, the North American Electric Reliability Corporation (NERC), monitors companies in the US energy complex. This organization has the right to fine those energy companies that poorly protect critical data, thereby violating security requirements. There is a similar regulator in the chemical industry.

After examining the situation with data encryption in enterprises of state importance, information security experts ask a logical question: “Why do communication programs like WhatsApp are better protected from hacking than notification systems that work at nuclear power plants and other enterprises of similar importance?”. This question can still be called rhetorical, but a solution to this problem must be sought now.



According to the employees of the enterprises themselves, completely get rid of pagers will not work. The fact is that in some situations it is required to send messages to employees in places where there is neither cellular communication nor Internet. Engineers of SCADA-systems working at nuclear power plants and enterprises of state importance should be available 24/7. Such employees are given pagers, and the communication system for some of them is satellite. In addition, the problem is not only in pagers, but also satellite phones: many systems of this type also do not use encryption. “When only communications are important, and restoring service or equipment is vital, reliability of communications, not security, is at the forefront,” says an employee of one of the enterprises.

Trend Micro's recommendation for businesses that use pagers is to quickly start using encryption and add a user authentication system. In addition, it is necessary to regularly audit all possible sources of leakage of a given enterprise.