The explosions—more an assault via supply chain than a cyberattack—raise fears that even low-tech devices can be weaponized.
On Sept. 17, several thousand pagers exploded in Lebanon in what is widely believed to be an Israeli attack on members of Hezbollah. The next day, hundreds of handheld radios also exploded. Press reports indicate dozens of deaths and thousands of casualties, some involving known Hezbollah operatives and others involving passers-by with no apparent connection to the terrorist group. The Israeli government has neither confirmed nor denied involvement.
The pagers (Apollo AR-924)—powered by a rechargeable lithium battery and apparently containing a few grams of explosive—received a text message, seemingly from the Hezbollah leadership, shortly before 3:30 p.m. local time on Tuesday. Each device beeped for several seconds, allowing pager holders to bring their devices closer to their faces, and then detonated.
Some—including Lebanon’s foreign ministry and Hezbollah itself—have described the operation as a cyberattack, suggesting that the pager explosions were caused by a malware-induced “thermal runaway” in the lithium-ion batteries inside the pagers. But this scenario is unlikely: Overheating and ignition—fire—would precede an explosion in a lithium-ion battery, most likely giving the target some warning. It is more likely that some other source of explosive energy was used.
Most explanations to date have converged on the idea that the pagers themselves had some explosive secreted inside them, detonated on command. If these reports are true, the explosions have more in common with a remotely detonated improvised explosive device than with a cyberattack. Conceptually, this could be a mortar shell with wires going into it that originate a substantial distance away, say a few hundred meters. The bomber throws a switch at the right time to close the firing circuit and the shell explodes. Remotely, a bomber could rig a cell phone into a bomb’s detonator so that when the phone’s ringer goes off, the device detonates. The cell phone-and-detonator arrangement seems roughly similar to the pager explosions.
Rather than a cyberattack, the pager and handheld radio attacks are more properly classified as an assault on the Hezbollah supply chain, garnering a great deal of media attention. The New York Times noted a “reality that international supply chains are susceptible to being penetrated by those waging war.” After acknowledging previous concerns about supply chains for strategic goods such as medical supplies, chips, and telecommunications gear, the Times argued that the pager and handheld radio attacks “reveal how even less strategic and lower-profile areas of commercial life entail grave security risks.” Politico reported that “the attacks serve as a model for future adversaries on how to weaponize the complex and often-opaque supply chains for everyday items.”
But even if these attacks seem to be more supply chain than cyber, they raise the uncomfortable fear that every device connected to the “Internet of Things” could be turned into a physical—kinetic—weapon. Expressing fears that their smartphones were being used by Israeli intelligence to gather information, Hezbollah apparently decided to use pagers and handheld radios based on the theory that low-tech devices are more resistant (or even immune) to cyberattack because they lack computerized components that can be easily hacked.
If true, such reasoning was flawed. The pagers and handheld radios had to be manufactured by an external party, and that party turned out not to have Hezbollah’s safety interests in mind. Moreover, the attack demonstrates thateven “low-tech” devices increasingly have electronic components in them. My toaster, the key fob to my building’s elevator, and my ID card all have chips in them. Unless I keep them enclosed in a Faraday cage (a sealed metal enclosure that radio waves cannot penetrate), an adversary might be able to send radio signals to those chips. And if my device has explosives in it, such signals might result in an explosion.
There are therefore two lessons to draw from what we currently know about these explosions.
First, the general public likely doesn’t need to worry about their electronic devices exploding en masse, especially if they are made by reputable and established firms. One has to wonder how Hezbollah procurement agents identified a company that would fulfill an order for several thousand pagers; news reports indicate they went through intermediaries to identify a source company, intermediaries who were either Israeli themselves or compromised by the Israelis. The point is that Hezbollah did not have established relationships with reputable firms. Moreover, the general public buys its devices one at a time from many different retailers. While these retailers buy from far fewer sources, they—unlike Hezbollah—do have established relationships with reputable firms.
Could a product from a reputable firm have an explosive in it? Certainly. If the device is purchased through a mail order outlet, it must be shipped—and it could in principle be intercepted, opened, tampered with, and resealed, before being sent on its way to the customer. But such a process is very demanding on intelligence services because it requires a lot of attention and personnel support. It makes sense to target a small number of high-value individuals, but not a large group that could be regarded as being part of the general public.
The second lesson is a technical one. If I am, contrary to fact, a high value individual who might be targeted, the device doesn’t even have to be connected to the internet. Imagine a TV with a bomb in it that is programmed to go off via a timer, exploding three months after it first powers on, or when it receives a particular signal embedded in an over-the-air broadcast of some particular TV program. In fact, the TV doesn’t even need to be triggered by radio or TV signals—I can attach to the TV speaker a sensor that monitors the sounds being played; when a particular song is broadcast, the computer recognizes it and triggers an explosion. It may seem obvious, but with all of the attention on how the pagers were triggered, it is worth remembering that what makes the TV or the pager dangerous is not any of these methods for triggering—it’s the presence of the explosive inside.
As more reporting is done on what is, by all accounts, an extraordinary technical success, there are many questions that remain—leading to a fair amount of media speculation. One claim raised by a commercial TV station in Israel, for example, indicated that the detonations were triggered individually, with the trigger-pullers knowing “who was being targeted, where he was, and whether others were in close proximity.” While certain elements of this claim are plausible, the idea that the pager’s location was known at the time of sending the detonating message is not fully believable—to know the pager’s location, the pager would have to broadcast a signal continuously, posing the risk of being detected and compromising the operation. The notion of knowing if others were in close proximity borders on the absurd, requiring a sensor that could detect humans in addition to the target.
As long as details continue to emerge, such speculation will only continue. It is clear that there is still much to learn about this operation, but its implications for individual and public safety are worth considering. While they shouldn’t inspire outright panic for the average individual, they might induce high-value targets to rethink some of their personal safety measures.
– Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. Published courtesy of Lawfare.