It Looks Like Pagers Are Still Common In Nuclear Power Plants and This Is a Great Threat To Security
It seems that nuclear power plants and other similar critical infrastructure may be vulnerable to hacking due to their reliance on ancient technology which many youngsters don’t even recognize today: pagers. According to a recent report pagers are still being used by nuclear power plant workers who use these to send messages and alerts about plant operations and functions. The pagers may be very comfortable to use but the danger is that these communications are not secure at all and can easily be intercepted.
Researchers from the tech security firm, Trend Micro, collected nearly 55 million pages (pager messages) that had been sent over US airwaves during a four month period earlier this year. They intercepted extremely sensitive communication from nuclear plants, chemical plants, defense contractors and other such sensitive organizations. Shocking? There is more. Apparently this interception is extremely easy and anyone could have a good snooping around in these facilities if they wanted to. The researchers wrote in their report, “Unfortunately, we discovered that communication through pagers is not secure at all. Since pager messages are typically unencrypted, attackers can view pager messages even at a distance – the only thing attackers need is a combination of some know-how on software-defined radio (SDR) and US$20 for a dongle.”
The Danger they bring
The earliest pagers could only send numeric data back and forth but later on, the pagers were modified to be able to send text messages as well. This was before mobile phones and SMS took over. These text communications are the ones that are problematic. Researchers refer to these as ‘passive intelligence’ as they can give up information to anyone who may be ‘listening’ in. The report claims, “Pages, it turns out, are considered a source of high quality passive intelligence. During four months of observation, we saw messages containing information on contact persons, locations inside manufacturers and electricity plants, [and] thresholds set in industrial control systems.” Researchers said while considering nuclear plants, most of the information that they got from the interception included conversations between the staff plus automated messages that were sent between the systems. Incidents like pumping flow rates in the plant, leaks in the plant, information in nuclear contamination were also among the information received.
This may seem very harmless information but according to experts if this information is used in combination with employee names, delivery tracking numbers, passwords etc, you will have enough intelligence to start an assault! “Knowledge of issues within the plant, like minor mechanical failures, etc. can be creatively used by determined attackers to craft social engineering attacks that will appear highly believable because of prior reconnaissance,” the authors of the report write. “Less likely but also plausible, would be for highly skilled attackers to make use of the specific issues inside, for instance, a nuclear plant, to trigger some form of sabotage, after they have gained physical access.”
History of vulnerabilities
This isn’t the first time that we have come across technological vulnerabilities endangering facilities and institutions. Earlier this year in April, operators of Germany’s Gundremmingen nuclear power plant said that the plan had been infected with several computer viruses. It doesn’t end here. Two months ago a form of malware was discovered that targeted governments, military sites and corporations and this malware had been present in systems for nearly 5 years before it was actually detected. Dan Goodin at Ars Technica explained, “Part of the appeal is the ability of pagers to communicate in areas where cellular frequencies are weak or nonexistent, often with extremely low power requirements. Another reason, no doubt, is the tendency in certain industries to use dangerously antiquated equipment. If these companies can’t curb these practices on their own, regulators should do it for them.”
Hopefully the pager issue will be easier t solve than the cyber attacks we face nowadays.