Pagers shout data center creds, pop star airport arrivals

Anyone wanting to know the time world leaders arrive in Australia for the coming G20 summit need only listen to broadcasts from Aussie airports, researcher Ed Farrell has claimed at the Ruxcon conference.

News of VIP airport arrivals are just one of the interesting pieces of information the Sydney security consultant monitored pager signals for about five months this year collecting more than 1.1 million broadcasts.

Within that cache, he found the Defence Science and Technology Organisation (DSTO) and IBM broadcasting their data centre change request identities (essentially access credentials), hospitals issuing sensitive medical records including names and addresses, and one major unnamed airport which announced the names of incoming VIPs.

"In the first five minutes of listening I was capturing things that should not have been transmitted - things like confidential patient files, a service call-out for an automatic teller machine, and some emergency services stuff," said Farrell, of Sydney's Hacklab.

"The security team out of [an] airport were coordinating movements for some of the G20 delegates and were broadcasting their movements in cleartext.

"There were a few from DSTO out at Morebank and IBM had sent personnel change requests too."

He added that airports have also broadcast the arrival of pop stars including Katy Perry in March.

Captured pager messages were broadcast on a backpack during Ruxcon. Darren Pauli. ©The Register

Farrell's pager eavesdropping, confined to listening to the POCSAG protocol, was not new but did illustrate the risks that the antiquated technology presented in the modern day.

He has captured and used broadcasted change request data to enter data centres as part of professional social engineering penetration tests in what also served as a demonstration of what audacious criminals could do to gain access to the facilities.

It cost Farrell no more than AU$9 to purchase a tuner capable of capturing the information which together with the wealth of pager-hacking information available online made the ancient tech an easy vector of attack.

Organisations did not need to throw out the humble pager, nor follow the route of encryption, but rather simply ensure messages were benign.

"The reality is that if messages are generic enough so that they are not disclosing sensitive information then there was little risk."

He said between 20 and 30 percent of messages were either non-nonsensical or seemingly benign machine-to-machine transmissions - however he was able to correlate a number of the latter pages to determine it was issued by the Department of Defence, but not its contents.®