More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies

The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here).

The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established her own company and acquired a license to sell a line of pagers that bore the Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of the products her firm sold: the rugged and reliable AR924.

“She was the one in touch with Hezbollah, and explained to them why the bigger pager with the larger battery was better than the original model,” said an Israeli official briefed on details of the operation. One of the main selling points about the AR924 was that it was “possible to charge with a cable. And the batteries were longer lasting,” the official said.

As it turned out, the actual production of the devices was outsourced and the marketing official had no knowledge of the operation and was unaware that the pagers were physically assembled in Israel under Mossad oversight, officials said. Mossad’s pagers, each weighing less than three ounces, included a unique feature: a battery pack that concealed a tiny amount of a powerful explosive, according to the officials familiar with the plot.

In a feat of engineering, the bomb component was so carefully hidden as to be virtually undetectable, even if the device was taken apart, the officials said. Israeli officials believe that Hezbollah did disassemble some of the pagers and may have even X-rayed them.

Also invisible was Mossad’s remote access to the devices. An electronic signal from the intelligence service could trigger the explosion of thousands of the devices at once. But, to ensure maximum damage, the blast could also be triggered by a special two-step procedure required for viewing secure messages that had been encrypted.

“You had to push two buttons to read the message,” an official said. In practice, that meant using both hands.

Also read Bunnie Huang’s essay on what it means to live in a world where people can turn IoT devices into bombs. His conclusion:

Not all things that could exist should exist, and some ideas are better left unimplemented. Technology alone has no ethics: the difference between a patch and an exploit is the method in which a technology is disclosed. Exploding batteries have probably been conceived of and tested by spy agencies around the world, but never deployed en masse because while it may achieve a tactical win, it is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.

However, now that I’ve seen it executed, I am left with the terrifying realization that not only is it feasible, it’s relatively easy for any modestly-funded entity to implement. Not just our allies can do this—a wide cast of adversaries have this capability in their reach, from nation-states to cartels and gangs, to shady copycat battery factories just looking for a big payday (if chemical suppliers can moonlight in illicit drugs, what stops battery factories from dealing in bespoke munitions?). Bottom line is: we should approach the public policy debate around this assuming that someday, we could be victims of exploding batteries, too. Turning everyday objects into fragmentation grenades should be a crime, as it blurs the line between civilian and military technologies.

I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.

Tags: , , ,

Posted on October 15, 2024 at 7:06 AM13 Comments

Comments

Peter October 15, 2024 10:42 AM

I got a feeling unnamed marketing official, knowledge or not, doesn’t have long for this world.

That said, besides the fact I think they are lying and she knew, curious how she wouldn’t know “As it turned out, the actual production of the devices was outsourced and made in Israel” given she supposed started her own company, that would be something you would tend to know. I mean I could understand how that would be possible if she was just an employee of a existing front company, even if the CEO, as everyone on the know could simply be lying to you but it’s a bit more incredulous when you supposed started the company yourself. I mean what are the chances the Mossad just randomly found her new company, infiltrated all the key positions, suggested a new product, and then got it approved all without her knowledge as the owner and founder not any other person being the wiser.

Worthington October 15, 2024 12:31 PM

Another issue that should be spoken about (but definitely not here) is whether a previously heavily oppressed group should never be criticized. If all attempts to talk about it results in “oh he went THERE” it will be more dfficult to control what happens next. Some sort of a balance and respect is needed toward EVERYONE.

traced by IP October 15, 2024 5:48 PM

Per statement:I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.

James Bond used to utilize similar technologies in popular movie where innocent things were turned into deadly weapon.

And no doubt “it is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.”

Clive Robinson October 15, 2024 8:03 PM

From a security aspect the article is political trivia and lacking in any technical details.

The fact it’s mostly third party comment or hearsay makes it of even less use from a security asspect.

As I’ve pointed out a drone flying at a few hundred meters has a range that line of sight will cover Lebanon but due to terrain buildings and a few other things line of sight would not have been possible for all the pagers or knock of iCom handie-talkies(HTs).

A look at the damage to the HT pictured at the time indicates the explosive force went outwards from the HT body not it’s battery. Whilst this might have been caused by a shaped charge firing toward the user from the battery to create a shrapnel effect, it looks unlikely.

What is true of those Icom HTs is that they had a space at the bottom for an encryption unit or other security device, designed for “commercial security and law enforcement” use.

So it would suggest encryption units might have been part of the “purchase order”.

One single line of technical info indicated that the HTs re-broadcast the audio and potentially a position . As they were not fitted with GPS and GPS equipment at the time these units were put together needed a patch antenna, it suggests that GPS was not the way location data was acquired.

The effectiveness of a transmitter is related to a number of things including but not limited to,

1, TX power.
2, TX frequency.
3, Antenna radiation efficiency.
4, Baseband signal bandwidth.
5, Type of modulation/transmission.

Whilst “store and forward” of the audio is possible it would not be my choice. Because any TX signal has a “power envelope” and that can be accidently detected by “sound cards”, “audio amplifiers”, “AM radios” and even simple “crystal receivers” such as “bug detectors” and “diode detectors”.

An HT suddenly making such signals would be suspicious and actually quite likely to happen from some one just putting one on a table to charge etc and thus near to other equipment.

My choice would be to TX during HT “in use” as any signals in other equipment would be put down to the usage not a “monitoring device”.

Further I would use as low a TX frequency as possible to alleviate “line of sight” issues, unless talking to say a US SigInt Sat/bird or high altitude SigInt plane flying over Israel (then UHF/microwave is better and a PCB trace will act as an efficient antenna as in DECT and 2G phones). With as wide a TX bandwidth as possible such as spread spectrum not for it’s LPI potential but for reliability, interference rejection and easy demultiplexing of multiple HT surveillance transmitters you get with CDMA systems design [for which there are multi sourced “Standard Off The shelf”(SOTS) 800Mhz parts that will work on lower frequencies].

The problem though is connecting such a TX system up to also be RX unless there was some way to sync up, which there is with DECT, WiFi, LoRa, 2G and 3G SOTS.

But that still leaves the problem of connecting to an explosive charge and where to hide it.

As I said a gram or two of gun cotton or smokeless powder is enough to do the damage seen other explosives have an even higher energy density. Anyone who has taken a not to modern piece of electronics equipment apart would recognise a standard electrolytic capacitor can, they are not to dissimilar in size to a “Short 22” cartridge but made of aluminium not brass. Making the case in another non magnetic metal that looks like aluminium but with significantly more strength gives an increased shrapnel effect…

The hardest trick is actually stopping accidental detonation as anyone who has “scoped out” a microcontroller based circuit during power up can attest the pins can give you a “wild ride” which is problematic in safety critical systems…

Further you would not want to add any kind of circuit inside a battery unless you really know what you are doing. Because all rechargable batteries in the form factor used in consumer radio equipment uses battery chemistries that must not be fully discharged as it damages the cells if not kills them out right.

There are other aspects to consider which I’m not going to go into as it would be unwise.

However there is one remaining issue you need to think about,

“If the control system is in the body of the pager or HT and the charge in the battery, how do you reliably connect them in a way which would survive X-Ray or destructive physical testing?”

As I’ve indicated LiPo batteries tend to have multiple contacts, but the genuine Icom batteries back then were not LiPo but NiCad AA cells where only two wires were needed.

This creates an issue where X-Ray etc testing is to be expected. Some batteries had an extra contact going to a thermistor so the battery temperature could be checked. However thermistors are simple two terminal components that are little different to resistors so expected in depth examination/testing would show up anything more complex.

Whilst there are solutions mostly they are either fairly easily detectable or insufficiently safe to use…

Thus “surviving” pagers and HTs are highly valuable to any number of people for the technical information within them.

lurker October 16, 2024 1:50 AM

Given how easy it is to pull this trick, if the roles were reversed*, would our attitude towards the perpetrators be any different?

  • e.g. a bunch of (smart) TVs blew up all over Israel on command from somewhere else.

Agammamon October 16, 2024 5:53 PM

If the frontline of the conflict is at home – maybe the people who the government nominally answers to will stop letting them get into conflicts across the world that do nothing except enrich contractors and politicians?

traced by IP October 17, 2024 6:37 PM

https://www.timesofisrael.com/hezbollah-pager-explosions-put-spotlight-on-israels-cyber-warfare-unit-8200/

One Western security source told Reuters that Unit 8200, a military unit that is
not part of the spy agency, was involved in the development stage of the operation against Hezbollah, which was over a year in the making.

The source said Unit 8200 was involved in the technical side of testing how they
could insert explosive material within the manufacturing process.

The unit, and its legion of young, handpicked soldiers, develops and operates
intelligence gathering tools and is often likened to the US National Security Agency

While Israel has never confirmed its involvement, Unit 8200 was reported to have been involved in the Stuxnet attack uncovered in 2010 that disabled Iranian
nuclear centrifuges as well as a series of other high-profile operations outside Israel.

The unit is famous for a work culture that emphasizes out-of-the-box thinking to
tackle issues previously not encountered or imagined. This helped some graduates
build Israel’s tech sector and some of its biggest companies.

“Whether it’s a problem with software weakness, math, encryption, a problem
hacking into something… you must be capable to do it on your own,” said Avi
Shua, a graduate of 8200, who went on to co-found Orca Security, a cloud security unicorn.

“The most significant thing here is the ‘can-do’ culture, where everything is
possible,” Samboursky said.

EricTR October 18, 2024 2:00 PM

@Worthington
Another issue that should be spoken about (but definitely not here) is whether a previously heavily oppressed group should never be criticized. If all attempts to talk about it results in “oh he went THERE”…

What you are describing is also a control mechanism used by certain personality types. It is designed to instill a fear of saying the wrong thing—a precursor to walking on eggshells, editing, changing, silencing, or erasing ourselves to avoid triggering ‘visceral reactions.’

Instead, we end up spinning our stories generically around people’s ‘sensitivities’ (which serve as their control tactics). This world will never resolve its issues if it cannot move past this.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.