A lengthy study by Trend Micro found that with a $20 investment a cybercriminal can buy the gear needed to remotely access a wide variety of pager communications making pager use not only insecure, but possibly a violation of HIPAA regulations. In addition to being able to read the pager texts, Trend Micro's researchers were also able to implant their own messages into the paging system.
“Through technical means, we were able to decode pager messages using software-defined radio (SDR) and a USB dongle as cheap as $20. After setting up our equipment and software to observe pager messages, we began analyzing what types of information are being passed along in the clear,” the report stated.
The Trend team let its information capturing systems, which were located in the U.S., U.K. and Canada, run for four months starting on January 25, 2015. During this period it monitored 53.9 million unencrypted pager records with just over 2 million of these being transmitted from a hospital or medical facility. The type of data discovered included everything from hospital to doctor notifications, to information transmitted between EMTs responding to a 911 call and the hospital to where the patient is being transported.
“In fact, every step of the medical transaction could be observed from pages. We've seen pages describing admission to the emergency department, bed requests, in-facility transfer preparation requests, treatment orders, patient status updates up until the discharge or further transfer process,” the report stated.
Jon Clay, Trend Micro's global marketing manager, told SCMagazine.com in an email, that despite all of the information the team was able to gather the company knows of no hack of any paging system.
Even though the message traffic so far has not been compromised several potential problems exists.
“This raises the question with regard to various global healthcare privacy laws such as Health Insurance Portability and Accountability Act (HIPAA). Even though in some cases shorthand and medical terms were being used, it only took a basic level of medical knowledge (can anyone say webMD?) to understand the treatment and care a patient—including the patient's name—was receiving,” the report said.
Enough information was read to discern diagnosis and treatment practices for individual patients and enough data was gathered to enable a criminal to steal an individual's identity.
Another weak point was the ease with which the Trend Micro team was able to insert their own messages into the paging system. Multiple tests were conducted with several pagers the team bought, in order to not affect any real communication and it was found the system was simply to hijack.
“Based on the results, we can conclude that messages can be sent to any pager with the same protocol, as long as the transmitting power of the radio and antenna support the distance needed to successfully spoof messages. Our experiment proves that systems relying on pager technology can be easily compromised,” the report found.
There are still about two million pagers in us in the U.S., according to the retailer PagersDirect.