All it takes is a $20 dangle and some patience, and an attacker can listen into a company's pager communications -- including transcribed voice mail messages and dial-in instructions for conference calls.
There are many voicemail services that automatically transcribe voice mail messages, according to a new report by Trend Micro. In some cases, those messages are forwarded to employees via their pagers.
"It lets them be away from their desk in an environment where they can't bring their cellphones," said Ed Cabrera, chief cybersecurity officer at Trend Micro. "It gives them more operational control and freedom."
Unfortunately, it can also give attackers -- cybercriminals, nation states, and hacktivists -- additional insight into how things work at the organization.
"Now we have communications that have been transcribed, that people thought were private or confidential," he said. "It gives them a broader view into a company and could be used for spearphishing."
Attackers can also use information from pager messages to build up detailed profiles of their targets, including their work schedules, travel plans, appointments, who their friends are, and build up a picture of the target's relationships with other employees, customers or outside vendors.
All this information can be used for both physical attacks and cyberattacks, Cabrera said.
Earlier this year, Trend Micro analyzed 55 million pager messages and found that more than 800,000 contained email addresses, more than 500,000 had names, a quarter million had phone numbers, more than 200,000 had other identifying information such as birthdates or medical reference numbers.
And when there were voice mail transactions, they were typically sent in plain text, easy for hackers to grab.
Similarly, invitations to conference calls were also sent in clear text to employee pagers.
Governmental agencies and critical infrastructure providers can share a great deal of sensitive information in conference calls.
And conference calls typically require just a dial-in number and access code, there's no other verification of identity, Cabrera said.
Sometimes, cybersecurity teams will use conference calls to discuss ongoing attacks, giving the attackers a way to spy on how the organization is responding.
"This is threat intelligence, but for criminals," Cabrera said.
Organizations usually have no way of knowing that their voice mail transcripts or conference calls have been compromised.
"The chances of the hackers speaking up during the calls are pretty slim," he said.
A company might suspect that something is going on because phishing emails are using internal information, but that could also have come from compromised email accounts or other sources, he said.
"Chances are, you're not going to find them," he said.
He recommends that organizations that still use pagers should upgrade to encrypted systems with asymmetric keys, and make sure that there's an authentication system in place.