Israel’s Pager Attacks and Supply Chain Vulnerabilities

Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least thirty-seven people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.

Though the deadly operations were stunning, none of the elements used to carry them out were particularly new. The tactics employed by Israel, which has neither confirmed nor denied any role, to hijack an international supply chain and embed plastic explosives in Hezbollah devices have been used for years. What’s new is that Israel put them together in such a devastating and extravagantly public fashion, bringing into stark relief what the future of great power competition will look like—in peacetime, wartime and the ever expanding gray zone in between.

The targets won’t be just terrorists. Our computers are vulnerable, and increasingly so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.

The core component of the operation, implanting plastic explosives in pagers and radios, has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That’s what all of those airport scanners are designed to detect—both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.

The second component, assassination by personal device, isn’t new, either. Israel used this tactic against a Hamas bomb maker in 1996 and a Fatah activist in 2000. Both were killed by remotely detonated booby-trapped cellphones.

The final and more logistically complex piece of Israel’s plan, attacking an international supply chain to compromise equipment at scale, is something that the United States has done, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it not for destructive purposes but for eavesdropping. We know from an Edward Snowden document that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn’t the agency’s only operation of this type.

Creating a front company to fool victims isn’t even a new twist. Israel reportedly created a shell company to produce and sell explosive-laden devices to Hezbollah. In 2019 the FBI created a company that sold supposedly secure cellphones to criminals—not to assassinate them but to eavesdrop on and then arrest them.

The bottom line: Our supply chains are vulnerable, which means that we are vulnerable. Any individual, country or group that interacts with a high-tech supply chain can subvert the equipment passing through it. It can be subverted to eavesdrop. It can be subverted to degrade or fail on command. And although it’s harder, it can be subverted to kill.

Personal devices connected to the internet—and countries where they are in high use, such as the United States—are especially at risk. In 2007 the Idaho National Laboratory demonstrated that a cyberattack could cause a high-voltage generator to explode. In 2010 a computer virus believed to have been developed by the United States and Israel destroyed centrifuges at an Iranian nuclear facility. A 2017 dump of CIA documents included statements about the possibility of remotely hacking cars, which WikiLeaks asserted could be used to carry out “nearly undetectable assassinations.” This isn’t just theoretical: In 2015 a Wired reporter allowed hackers to remotely take over his car while he was driving it. They disabled the engine while he was on a highway.

The world has already begun to adjust to this threat. Many countries are increasingly wary of buying communications equipment from countries they don’t trust. The United States and others are banning large routers from the Chinese company Huawei because we fear that they could be used for eavesdropping and—even worse—disabled remotely in a time of escalating hostilities. In 2019 there was a minor panic over Chinese-made subway cars that could have been modified to eavesdrop on their riders.

It’s not just finished equipment that is under the scanner. More than a decade ago, the US military investigated the security risks of using Chinese parts in its equipment. In 2018 a Bloomberg report revealed US investigators had accused China of modifying computer chips to steal information.

It’s not obvious how to defend against these and similar attacks. Our high-tech supply chains are complex and international. It didn’t raise any red flags to Hezbollah that the group’s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries before being pieced together primarily in China.

That’s a hard problem to fix. We can’t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn’t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.

So what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network—very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack and how the group will respond.

But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.

This essay originally appeared in the New York Times.

Tags: , , ,

Posted on September 24, 2024 at 7:05 AM19 Comments

Comments

Peter A. September 24, 2024 7:50 AM

It has been long known as laying in the realm of possibility in technical terms – but so far almost nobody expected it possible in the realm of politics, in terms of someone making a conscious decision of actually employing such tactic, especially not a modern (semi-)Western government. It was thought as only actionable by some evil, but half-fictional or overhyped, big Dr. No, like Mr. K. of N.K. (or maybe, but not so much, Mr. P. of R.)

Putting aside the whereabouts of the attacked and their plans and intents: the perpetrators knew there’d be lots of collateral damage, and they didn’t care the slightest. This is a huge fall of modern world’s governance and of humanity at large. Also, potentially, a huge hit to the alleged perpetrators’ reputation and a spark on the barrel full of gunpowder of hatred that was already brewing against them because of either dumb prejudice or some real insult or injury – whatever it was, it won’t matter since now. And it’ll be the cause of huge insecurity for everyone – to stay in the general topic of this blog.

MR MARK R ARNOLD September 24, 2024 8:14 AM

Hey Bruce,

Would you please expand on airport detection as one assumes there were ‘000s of these devices for many months and again, one assumes, they must of boarded many flights with them being so prevalent.

Thank you, it was your very first book that got me into security. 😊

Mexaly September 24, 2024 9:20 AM

I am very concerned that there is no control of the weaponized device after point of sale.
Does being a family member of a buyer make them a legitimate target?
How does the attacker make sure the don’t down a plane with one of these attacks?

Clive Robinson September 24, 2024 9:44 AM

@ Bruce,

Re : Susceptible only if we want them to be.

With regards,

“Our computers are vulnerable, and increasingly so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.”

Because we want them to be.

There are various reasons to do with “International Trade” at the lowest cost that has decimated home industry and made supply chains impossibly long to secure.

But there is another reason that we really should consider,

These devices used against civilians in Lebanon had two things in common,

1, Remote Communications capability.
2, User Convenience.

The very incomplete list of things you give also “now have” the same failings.

Thus it can be seen that fetting blown up in public and private where ever we go is the price we pay for the convenience of communications.

WASP nation Governments are desperately doing everything they can to force “Smart Meters” into our homes.

If you look at their design the average smart meter could hold not grams but half a kilo or more of very high explosives, and once installed will sit there waiting for upto half a century maybe more.

They all have “communications for convenience” of not the consumer but the utility companies…

Like the pagers and hand held radios they will “function as normal” till someone decides to “take out your home, the block you live in or town or city.

Now consider medical implanted devices the numbers of which are rising rapidly in the West as they are “easy money” for the insurance industry. Less than 1g of certain very energetic explosives will hit you with the same effect as

“An on target bullet”.

We used to joke about “Dial M for Murder” and others have said of mobile phones as “Wareheads on foreheads”…

Can we gove up “Convenience by Communications” and will we be alowed to by our own Governments?

Clive Robinson September 24, 2024 10:24 AM

Re : What is the price of peace?

As I note from time to time technology is a “two edged sword”. I’ve also noted that “trade” is the only way that peace can happen not just in the short term but long term.

Which makes,

“Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.”

A bit of a poser.

The thing is this potential to effect the ability to prosecute war or ensure peace was publicly known back as far as the 1950’s if not earlier.

Those who have read Isaac Azimov’s “Foundation Series” would have been aware of it as it formed a major plot arc early on.

The problem is that nearly everything can be “double edged” if “good or bad” depends on two basic things,

1, What an impartial observer sees of,
2, A directing minds intentions.

History is replete with examples of what was good becoming bad and to a slightly lesser extent what was bad becoming good in the majority of societies eyes.

The problem we mostly have these days is contrary to what we get told to us over and over in school, we really nolonger have any control on politicians and legislators as corporations have the billions to buy what they want.

What has not been mentioned in the equation is how AI will be used to give “arms length” distancing from the very deliberate harm the very few want to inflict on the majority as a new version of,

“The Computer Say’s”

Excuse for truly appalling behaviours driven by the mindless mantra’s of those who feel they are entitled.

Kai September 24, 2024 7:02 PM

Re “In 2018 a Bloomberg report revealed US investigators had accused China of modifying computer chips to steal information.”

Extraordinary claims require extraordinary evidence. To date there has been zero proof of anything that Bloomberg claimed in that article. Even some of the named sources in the story have doubts about the claims made.
Supermicro, Apple and Amazon – thee of the main companies named, have all publicly called for the story to be retracted.

Q September 24, 2024 11:13 PM

Having all the firmware and software be entirely open, buildable and updatable by the users would help a great deal towards making the devices safer.

The current situation of devices being locked down and not able to be inspected is a major part of the problem. And it is made worse by various legal barriers towards freeing the code. Trademarks, patents, copyrights, and other restrictive laws prevent a lot of things could make us all safer from the tyranny of not knowing what is actually running in our computer systems.

R.Cake September 25, 2024 3:58 AM

hmm… being mostly a hardware guy, my impression is that we should not spill the child with the bathtub.
While of course this specific attack was very impressively executed, it does not mean that from now on, “we” cannot trust any device anymore not to be a hidden bomb.
This only works with devices that have enough empty space inside of them so that you can actually place anything. That completely rules out modern smartphones in the way they come from the factory. There simply is zero empty space inside of them, so zero chance to place anything.
Similar for other classes of device, but indeed this would take a bit of investigation and being more hardware-savvy than many of “us” are.

On the other hand, such a type of attack is very costly for the attacker, so unless they have loads of useless money lying around or a very, very high interest, it is unlikely anyone will be starting to run such type of attacks at broad scale.
Just try to put yourself into the shoes of the attacker. I can see how you might plan this if you wanted to infiltrate such a troyan device into a closed target organization. On the other hand, if you wanted to deliver such a device into e.g. millions of US households, the necessary scale of actual underground factories, fake organizations and supply chain would be so humungous that it is very hard to conceive how this could be done without anyone noticing.

So, I believe not quite all is lost for “us” = the average Jane/Joe.

Clive Robinson September 25, 2024 6:10 AM

@ Q,

As a design engineer who has had their designs ripped off by two Israeli companies I find your,

“Having all the firmware and software be entirely open, buildable and updatable by the users would help a great deal towards making the devices safer.”

A little ironic.

I’m not the only one to have been “ripped off” and it’s a rising issue and one that even Amazon has been caught doing (yup Amazon see it as OK to steal your IP if your product is successful, but the other way around is a capital offence as far as they are concerned).

But in the “Ham Radio” world there are a number of semi-open source projects where there has been what uninformed journalists call a “China Knock Off”[1] and an entire product gets made unlawfully and sold in ways that damage the original IP holders good name.

That is what we have seen recently with those Pagers and Icom HTs has happened to many small European Ventures who see their products being stollen by Chinese “fly by night / back ally” companies that bring a bad name to even the worst of “Shoddy Half-arse IoT”(SHIT) Manufacturers.

[1] The expression “China/Chinese Knock Off” does not mean what most think it does… When the term originated way back last century it applied to “Taiwan” only. As at that time the main land was still not industrialised in “light industry” like the manufacture of electronics. It took them over two decades to catch upto Taiwan’s reputation, something that the Chinese Political Masters/Party were decidedly unhappy about. And they are still unhappy because Taiwan has moved on at a rate few would have guessed and are now probably the world number one in semiconductor manufacture.

The US Gov has tried many inducements to get TSMC to move premisses to US soil. The Taiwanese however do not want to do so for a couple of reasons all to do with the Chinese mainland and war. China has made it clear they see the ROC/Taiwan as being a “break away” that must be reintegrated. The Taiwanses see the Chinese Mainland as being a significant threat of invasion and worse. In effect the Taiwanese see the US as being the “thin blue line” which China has so far been unwilling to cross, Japan, South Korea and other nations likewise. Their only defense being to keep the US “on side” one way or another, one of which is making their homelands the places that the US is significantly dependent on. Thus they have invested in Hi-Tech and have become the places the rest of the world is dependent on at so many levels that China invading would be unacceptable to the US. Some while ago the Taiwanese Premier indicated it would be foolish to build top of the line plants in the US as the US would just grab control and let Taiwan be invaded etc… Those in charge of TSMC and others in Japan and South Korea appear to think the sane way.

Nobby September 25, 2024 8:12 PM

Mitigation measures are obvious and well-known from evolution biology, and it’s diversity.
Go and buy a used phone from a shady dealer in uptown, chances are that you’re subject to an accidental attack, but they are much lower than you being a victim of a targeted attack.
Not applicable at enterprise scale, though.

Not really anonymous September 26, 2024 12:42 AM

Don’t count on smartphones not having enough space in them for enough explosive to kill or seriously injure you. Bunnie Huang recently wrote a critism of Isreal’s pager attack and it included a description of how you might embed explosives into the battery that would be hard to detect.

Cybershow September 27, 2024 12:28 PM

An old denial trick used to slow advancing armour was dropping dinner
plates around the roads and burying them rather obviously with a
sprinkling of dirt. They look exactly like anti-tank mines. But the
trick only works if you do two extra things. Also put down a few real
anti-tank mines, maybe one in a hundred. Now the enemy has to check
every one. Lastly, throw a few tiny, nasty little AP mines in amongst
the whole show. Now they have to check it all VERY slowly.

Retreating forces also have a trick. Keep a few rounds of “hot ammo”
for if you get over-run. Hot ammo is deliberately over-charged so that
it explodes in the chamber, sometimes killing or blinding the shooter.
Mix a few of these in among all the boxes you leave behind.

Though we may not call it such, and international conventions are not
clear, these sort of tactics are the very essence of terror. It is
primarily psychological warfare (small number of actual casualties)
with the aim of sapping the enemy’s confidence by sowing fear,
uncertainty and doubt about communications, equipment, rations,
water…

The problem with persistent denial weapons and tactics is that it gets
into circulation – not just actual booby-trapped devices but the fear
of their possibility. The only way out is a full reset/recall and
destroying everything that might be suspect.

Israel had it done to them in the 1970s when Jaffa oranges for export
were injected with poison. So as not to take risks the entire national
crop for that year was dumped.

So yes, while it looks like an attack on Hezbollah it is also an
attack on Samsung, Sony, Apple… the entire electronics industry.
Some comments are about what is “possible”, but they miss the point.
Terror is about what people think is possible and how they adapt to
perceived risk. Since the average citizen knows the square root of
jack about electronics it’s no surprise that kids are already thinking
anybody can make their phone explode.

Given the psychological attachment people have to their phones I think
the effects of this are going to ber very far reaching.

Victor Serge September 28, 2024 3:29 PM

The world has already begun to adjust to this threat.

Especially anyone who read any of what Snowden revealed. Question is, what use is an individual’s best effort to lock horns with a ten headed monster that believes that citizens and our equipment are primarily to serve their ends. Even while they are funded thru the roof.

“it would be better for him if a millstone were hung about his neck and that he were drowned in the depth of the sea” (NMB ‘https://www.biblegateway.com/passage/?search=Mat18:6&version=NMB)

Clive Robinson September 29, 2024 11:03 AM

Why use pagers?

Is a question some are asking.

And it’s been answered years ago on this blog on a couple of occasions from different view points,

https://www.schneier.com/blog/archives/2013/03/identifying_peo_5.html/#comment-193810

https://www.schneier.com/blog/archives/2017/12/tracking_people_5.html/#comment-312402

And alternative ways,

https://www.schneier.com/blog/archives/2013/01/anti-surveillan_1.html/#comment-190255

And slightly less explicitly years before that back in 2009,

https://www.schneier.com/blog/archives/2009/11/leaked_911_text.html/#comment-125921

So proof yet again if needed that this blog is a half to a decade and a half ahead and on average on the ICTsec industry… and describes in fair detail around 8years in advance.

Clive Robinson September 30, 2024 8:47 AM

Supply chains and backdoors

In ICT Security we rightfully point out that,

1, Backdoors are never NOBUS

And to a lesser extent,

2, Putting hooks in any system to allow for backdoors will result in backdoors being fitted by ‘friend or foe’ regardless of your wishes.

Well the IEEE has just made available an interesting perspective on this and the,

3, All humans are fallible and thus want to recant / rescind not regret at some point.

Thus will want to stop an item in the delivery process that forms a supply chain terminal phase,

https://spectrum.ieee.org/nuclear-war

JG5 October 3, 2024 9:07 AM

Help! Around the time that commenting was active on the pager supply chain attack, someone posted an observation along the lines of “What chance does the average citizen have against the tentacles of the octopus?”

I tried searching with DuckDuck, which is far less effective than Gluegle, and Microscam CoPilot. No luck. Not sure which of the Titans will come out ahead in this race to the bottom.

The same sentiment has been expressed many times in the past. I found some of those examples. Can anyone recall the comment I am describing?

CoPilot
https://www.bing.com/chat

You:

Someone recently, likely in August or September, posted a comment to Schneier.com to the effect of “What chance does the average citizen have against the tentacles of the octopus?” Can you find it? The exact wording may not include average or citizen, and may not include both tentacles and octopus. But the meaning is well captured by my prompt.

Copilot:

I couldn’t find the exact comment you’re referring to on Schneier.com. However, it’s possible that the comment might not be indexed by search engines or could be buried in a long thread. You might want to try searching directly on Schneier.com or browsing through recent posts and their comments sections from August and September.

If you have any other details or context about the post, feel free to share, and I can help refine the search!

You:

Why can’t you search the comments for me?

Copilot:

I understand your frustration. Searching through comments on specific websites can be tricky because they might not be indexed by search engines, and I don’t have direct access to search within the comments section of Schneier.com.

However, you can try using the site’s search function or manually browsing through the comments on posts from August and September. If you have any more details about the post or the context, I can help refine the search or suggest other ways to find it. Let me know how else I can assist!

You:

You are pathetic.

Copilot:

I’m sorry you feel that way. If there’s anything else I can help with, please let me know.

Clive Robinson October 4, 2024 5:51 AM

@ JG5,

Sorry I cannot help with your search.

But your final to Co-Pilot, suggests that you are not adhering to the “5BS” Microsoft marketing plan steps of being,

“Bedazzled, Beguiled, Bewitched, Befriended, and BETRAYED”

And that their oh so super-secret betrayal 2S4P plan of

“Surveillance to Sell the Peons Private and Personal for profit”

Is not working with you… Indicating you are not a “typical indoctrinated American” thus you are a great disappointment to them 😉

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.