In the news: Exploding pagers in Lebanon kill 9, wound 2,800
Without delving into discussion about the war, does anybody have a theory on how it would be possible to remotely cause a device’s battery to catch fire and/or explode?
1 Like
This is going to go towards “there be dragons” territory fast, but theories, sure, those we can come up with.
- Accidental or intentional: An accident (like a major defect that affected a production batch) seems less likely as the reports seem to suggest that quite a lot of the wounded belonged to same reference group. However, the sheer number may be eschewed due to the model of how and why pagers are used there in the first place (very specific risk profile in that region). Accidental would imply defect and intentional that there was something specific done. Knowing how simple the device is, I’m leaning to the latter.
- What’s there to cause such energetic event in the device? Either it’s something that’s normally there or something extra was added. Third would be that there’s something external involved and the pager was just for targeting, but that’s hard to say (no mention). If it’s normal, it’s probably the battery (lithium batteries have been known to burst violently - “detonation” is just a matter of how violently). If it’s something added, that could be anything that can be hidden inside of a such a small device. Depending on where the device is carried, that has big effect on how effective even small battery or added charge can have.
- If it’s battery: someone has found a way to exploit a fault, a way to cause the battery to short circuit and heat up. Is that at all possible to do via sending pages? Or was there a previously hidden code to do that, that was activated. If there’s a way to cause batteries to go that bad just by paging, I think that would interest a whole lot of entities. Pre-prepared code seems more likely but the question becomes, how was it done to scores of pagers.
- If it’s some added charge: how was it done to scores of pagers. Such wouldn’t be sudden - could have taken years to prepare (just thinking the manufacturing and testing alone of a simple telephonic device, Like 5ome we know). And this goes to supply chain security - where are your devices made and did you buy interdiction security measures when ordering them.
I’m not sure what model was used (or were there several models) so not sure what kind of betteries we’re talking here. I know some pagers use AAs. Could these be such model that battery isn’t even changeable? Or maybe it is changeable and available mass distributed new batteries all were made with bad innards, with time delay of weeks or months.
… the more I waste my time thinking this, the more it seems to me that it’s unlikely “just hacking”. Something else was done too, at scale. Then again, just as likely, someone will get their hands on these device remains and write something more intelligent [and just as I write this, the Schneier blog link appears in the above comment]
2 Likes
I suspect this was a supply chain attack. The articles said that the devices were part of a new batch that the group had just put into use.
2 Likes
1 Like
If you search, you can find videos that show those going off in shops. It’s not huge, but when the pager is in belt etc. it doesn’t have to be. Now, estimating from those examples, and the injury assessments, it seems that the number of pagers was probably in the few hundreds (the more serious injuries). Definitely not something that was done quick.
2 Likes
From that link:
I have no idea, but I expect we will all learn over the next few days.
That is probably the only sensible answer at this stage. There are too many unknowns as to what has occurred here (both technologically and otherwise).
My take-out from the story so far: We should take IT security seriously.
IT security includes both supply chain, (edit:) and despatch to the customer, and what happens on the device after it is in the hands of the customer.
I imagine that participants in this forum are over-represented as far as those who do take IT security seriously.
2 Likes
My first question would be: What is the make and model of the pager?
That will then allow an examination of the likelihood (or reality) of a supply chain attack and will also allow an examination of potential weaknesses in the device itself.
For example, in respect of the latter, a pager that is used in a sensitive environment (such as running your neighbourhood terrorist organisation) would likely support encrypted on-the-air messaging - but how many users have set that up securely?1 - and could support remote wipe in case a device falls into the wrong hands - but remote wipe could open up the possibility of a remote attack.
1 The somewhat equivalent question in a Purism context would be: yes, it’s great that many Librem 5 users use the LUKS encrypted disk image but how many have bothered to change the disk encryption master key?
PS Media ignorant-quote-of-the-day (sadly this one is from Oz, and shows the tech-illiteracy of many journos)
What is a pager?
Unlike mobile phones, pagers work on radio waves — the operator can send a message by radio frequency rather than the internet.
So how exactly does this journo think that mobile phones communicate??
6 Likes
Explode the battery, no.
Heat the device in a way that triggers a thermocouple that was snuck inside as part of a supply chain attack. Sure, any ACE exploit and an infinite loop.
2 Likes
Let’s not forget that the perpetrators of a supply chain attack could, in fact, be the manufacturers of an intentionally compromised device, and run a public store front designed to attract their intended target.
Remember that encrypted messaging application tailor-made for criminals that turned out to be a law enforcement honeypot?
4 Likes
Media reporting …
Make: Gold Apollo (seems like a legitimate brand, not an ANOM-style fake front company, although I admit that I have never owned a pager, never sought to buy one, never used one)
Model: AR924, AP924 and others.
The shipment was reportedly interdicted and a very small explosive device implanted. I guess that makes it less interesting from a tech point of view because, let’s face it, if you don’t pay for Anti-Interdiction (AI) and someone plants a bomb in your device, the end result is not going to be subtle or complex. (There is still a tech question regarding exactly how the remote detonation was implemented i.e. from a telecommunications point of view.)
I think Iran needs to look at its “three Hs of Hell” strategy - because the Houthis are busy disrupting shipping in the Red Sea, which means that if there are unexpected delays in the arrival of the shipment to Hezbollah, while the shipment is interdicted, then noone will think it unusual. So it makes it easier for a third party to carry out that interdiction.
4 Likes
Actually in thinking this through more I doubt there was remote detonation at all and instead it was time based, just tap into the rtc or even include your own… wo much easier to make them all go off at the same time that way and no need to transmit a signal at all.
2 Likes
That can’t be ruled out but it is less flexible e.g. see above comment about Houthis. It would be embarrassing if the pagers all went off while still on the container ship. It’s a lot of effort to go to in order to eliminate no targets and to miss out on psyching the targets out (and maybe pointlessly destroy the contents of one or more containers).
A timer is also completely unable to adapt to unfolding events.
Also
some of the detonations took place after the pagers rang, causing the terrorists to put their hands on them or bring them up to their faces to check the screens.
Also
The detonations started around 3:30pm local time in the southern suburbs of Beirut.
They lasted about an hour, with witnesses saying they could still hear explosions at 4:30pm.
OK, that could, I guess, be explained by crappy RTC chips that don’t keep very good time.
4 Likes
Well if anything, they won’t be buying from that seller again. No doubt the purchashing agent for that inventory lot has been fired (at least).
3 Likes
A second wave, this time with walkie-talkies: https://www.euronews.com/2024/09/18/further-blasts-go-off-across-lebanon-a-day-after-pagers-attack
1 Like
… which kind of suggests a timer, rather than remotely triggered, because there’s much less functionality available to work with in a walkie-talkie. @OpojOJirYAlG So maybe you are right.
Interestingly both manufacturers - in damage control - disavow the devices.
The Taiwanese manufacturer of the pagers said that the actual batch was made under licence in Europe (which alters the interdiction path).
The Japanese (?) manufacturer of the walkie-talkies says that the actual batch is counterfeit (knock-offs).
Do we believe them? Maybe …
3 Likes
Funny you should say this: banning the use of smartphones among their fighters and command chain was a deliberate IT security decision! We all know what cybersecurity experts call a smartphone: a surveillance device.
On the other hand, they might not have known what a supply chain attack means, or have thought it unrealistic, or simply have had absolutely no control over this type of sophisticated interdiction scheme.
3 Likes
And just putting it out there … why was a European company (allegedly) allowed to sell devices to a listed terrorist organisation in the first place? One can argue that Hezbollah may have ordered using some fake front company that wasn’t detected by the seller but then someone knew which order to interdict.
All very murky.
3 Likes
My take on this aspect of the story is that it is very easy to sell this type of hardware (which is not even considered military equipment - but rather hospital in-house communication devices) to any company in Lebanon. The final end-user and purpose are therefore hidden and the transaction legit.
2 Likes