How many can remember the show ER? The insane pace, the rapid-fire drama? If you are a tech nerd, you remember the gear. Mostly, those old pagers. A recent study performed by Trend Micro showed that a number of major industries still use pagers to try and keep employees up to date with different emergencies. Among these are industrial control systems, HVAC, and most notably the medical field.
This may seem innocuous until you look at the transmission methods used and the fact that all pages are sent clear text over the air. With a software defined radio and a $20 dongle, Trend Micro was able to intercept some 54 million records, over 2 million of which came from the medical field and contained alphanumeric texts. This means personal health information, diagnoses, names, doctors, and treatment recommendations. All it took was about $40 in hardware and being in range of a transmitter. The repercussions of this can be substantial. Ars Technica pointed out that some of the pages came from nuclear facilities containing information about the status of reactors and cooling rods. Information like that as well as PII contained in medical pages are a malicious attacker’s gold mine, helping to not only custom craft attacks against an individual but also against the organization. Knowing a patient’s diagnosis or treatment would make it far easier to craft a spear phish or impersonation attack, giving individuals the validity of common knowledge they would not otherwise have and giving a target all the more reason to trust that person. Not only that, a page regarding critical infrastructure can tell an attacker who is a trusted source for maintenance as well as what needs to be done, which can open the doors for personnel impersonation attacks. These attacks have been repeatedly shown to be devastatingly effective.
The options to fix this are not very numerous, but considering the cost of social engineering attacks and possible fines levied by HIPAA and other associated legislation, it’s worth looking into. There are several new services offering pages with public key encryption as well as moving to smart phone based apps. Unfortunately, both are a challenge from an infrastructure stand point due to additional costs of building in new devices or the challenges of cellular and Wi-Fi spectrums potentially interfering with medical devices.
The challenge is what to do. Unfortunately, there really isn’t a clear cut solution, but the first step is to educate employees and to set software to send data without PII or sensitive information, rather sending out coded messages until a technological solution can be put in place. As is often the case, the best place to start is with people.