IT systems connected to pagers leak data that can be highly valuable to malicious actors looking to gather intelligence on the organizations they want to target, Trend Micro warned on Tuesday.
The security firm has been analyzing the security impact of pagers in various industries. After two separate reports detailing the risks posed by these devices in the healthcare industry and industrial environments, the company has now published a third analysis focusing on IT systems.
Pagers are outdated, but they are still used in many organizations in combination with SMS-to-pager and email-to-pager gateways. The problem is that the pager messages, also known as pages, are sent without being encrypted, allowing anyone with the technical knowhow and a $20 dongle to intercept the information they contain, even over long distances.
An analysis of pages coming from entities in the United States has showed that these types of communications are still used for a wide range of purposes. In the case of SMS-to-pager gateways, Trend Micro intercepted messages related to 911 emergency services, healthcare, industrial control systems (ICS), spam, and missed calls.
Trend Micro observed SMS-to-pager gateways being used by various services, including unified communications services, healthcare solutions, caller ID lookup systems, and SNMP messaging for operation engineers.
The security firm has seen email-to-pager gateways used for missed call services, server and network monitoring solutions, next-generation intrusion prevention systems, database management systems, and personal communications.
The pages leaked various types of data, including names, phone numbers, addresses, conference call details (e.g. phone numbers and access codes), medical information, IP and web addresses, information on network devices, database details, meetings, parcel shipment data, and alerts describing potential security threats.
This information can be highly useful to malicious actors conducting reconnaissance as it can allow them to gather information on hostnames and network topology, join conference calls, learn about the targeted individual’s schedule and friends, and map interpersonal relationships within an organization.
The data leaked via unencrypted pages can be leveraged for credible social engineering attacks. For example, pages exchanged by an organization’s employees can include basic information (e.g. names, email addresses and phone numbers) that can allow attackers to pretend that they are part of the organization.
Furthermore, by identifying frequent senders, malicious actors could ensure that the fake messages they send don’t raise any suspicion as they appear to come from an individual trusted by the victim.
The complete report, titled Leaking Beeps: A Closer Look at IT Systems That Leak Pages, is available for download in PDF format.