While cartoon crime fighter Kim Possible may be the last character, real or unreal, to regularly use a pager/beeper, Trend Micro is still finding these somewhat old-fashion communication devices that are still in use leak wide variety of private information potentially opening up the users for a conventional cyberattack.
The fact is pagers are still used in a variety of industries and thus need to be on any CISO's radar. The third installment (first report and second report) in Trend Micro's “Leaking Beeps” series show how IT systems that work with unencrypted pagers can be accessed and the data recovered used by malicious actors for a wide variety of purposes.
“To do that, we looked at pages that were sent or received through email-to-pager and SMS-to-pager gateways and those that were coupled with IT systems such as network monitoring solutions and voicemail summary systems,” the report stated.
Some of the information that could be recovered was the names of people being paged, the relationship between the sender and recipient, contact information and email. The data can also indicate what sector the people are involved which can help determine if they are worth singling out for an attack.
“During our research, we also found that passcodes for the Microsoft® Outlook Web App and conference bridges are being sent through pagers. If this type of data falls in the hands of malicious actors, they can get insider information through emails and use collected information to create a list of names within the target organization for future use in phishing attacks. In addition, attackers may also join in conference bridge calls and spy on their targets to listen in on confidential conversations,” the report stated.
Trend Micro recommends that companies, if possible, upgrade their systems and drop pagers as a communications device. However, if that is not possible the pagers should be encrypted so any leaked data cannot be read by an unauthorized third party.
In an earlier report Trend Micro researchers detailed how they intercepted and decoded information pulled from pagers used by the medical community.