A Reason to Kick Pagers out of Hospitals: weakness in pager technology has specific implications for the healthcare sector
This problem is observed across the globe, including Asia, Europe, and North America
Trend Micro Forward-Looking Threat Research team reported about weakness identified in pager technology. The company reported how there are several possible attack scenarios where an attacker makes use of information from unencrypted pager messages to do reconnaissance, social engineering, or some form of targeted attack or sabotage.
With private information being sent over the air through paging technologies that have no encryption and authentication, an obvious attack is to take advantage of the information against a potential target. Privacy regulations in various countries have prohibited protected health information from being leaked. However, this research reveals that the lack of encryption on private information has been overlooked for a long time.
What is exposed from the protected health information (PHI) may include email, phone numbers, and date of birth, syndromes, and diagnosis, among others. In addition, cybercriminals may be able to track specific cases based on medical record numbers in the sent pages. This allowed them to follow a patient’s transaction with the hospital: from the time a patient’s case is transferred from an outside facility, all the steps taken to assess, diagnose and treat the patient, up until the patient is discharged.
Lots of information can be seen from sniffing pager messages. However, it is also possible to inject your own pages if you have basic information about the systems in use. Without encryption and authentication, pager messages are easy to spoof as there is no way to verify that the messages are sent from trusted and known sources.
More importantly, our researchers also outline actionable recommendations for healthcare organizations that are still using pagers in an unsecure way today.
Pagers are secure, right? We’ve used them for decades, they are hard to monitor, and that’s why some of our most trusted industries use them, including the healthcare sector.
Nope. Wrong. All it took to see hospital information in clear text from hundreds of miles (away is an SDR software and a USB dongle. The problem with pagers—like many other technologies—is that they were designed and developed in a bygone era, and very few people go back to see if current technologies easily break the trust we had in these older ones or not (by virtue of making ease of monitoring—accidental or intentional—something easily done by a common person).
This research was done with tools easily purchased from Amazon for less than US$30. This tells us that monitoring is literally within the reach of children, a bored teenager or a criminal mind with a monetary interest. We saw this problem across the globe, including Asia, Europe, and North America, which means it’s not an isolated occurrence that we by chance witnessed in one country or a singular organization. It really is a result of a belief in the idea that technology never ages, though some might say this ‘belief’ is, in fact, a form of negligence of the implications of outdated technologies in a new environment.
The pager contents themselves are varied in form. This pie chart shows the distribution of data types seen in this research: