With dozens killed this week and thousands more injured as 5,000 handheld pagers — plus radios and finger recognition devices detonated across Lebanon — the ensuing panic reportedly caused residents to tear the batteries from their smartphones.
But can smartphones that haven’t been physically tampered with be hacked in this way? And is there a possibility that these pagers used by members of the armed group Hezbollah were hacked remotely?
According to reports, the explosions on Tuesday appear to have taken place within half an hour of each other and were preceded either by a message or the beeping of an alert that prompted many to take the devices out to look at their LCD screens.
A second wave of attacks followed on Wednesday, killing 14 and involving handheld radios detonating. Further reports of solar panels and finger recognition devices detonating came in at the time of writing.
While Israel hasn’t formally claimed responsibility for the attacks, which have pushed the region back to the brink of wider conflict, it hasn’t denied them either.
Popular in the late 80s and early 90s before smartphones became prevalent, pagers are small, battery-operated radio receivers that trigger an alert (audible or vibrating) when they receive the proper signal.
Pagers run on comms networks and so don’t require an internet signal — making them useful to members of the military who don’t want to be traced.
These old-school devices are still heavily used still in medical communities all over the world, and are generally used in parts of the Middle East where cellular networks are not as prevalent.
But how could these tiny, old-school pagers — usually powered by single AA or AAA batteries or lithium in the newest models — be forced to explode? And if this was a remote attack, what’s to stop other cyber criminals from carrying out similar attacks?
Experts point to two possibilities. The first is a cyber attack in which malware forced the pagers’ lithium batteries to overheat and then explode.
The second — and more likely scenario — points to a supply chain attack in which a shipment of pagers bound for Lebanon was intercepted and a tiny amount of explosive surreptitiously inserted.
According to former special FBI agent Adam Marrè, now chief information security officer at Minnesota-based cyber firm Arctic Wolf, the likelihood that this was a cybersecurity incident in which someone was able to hack into a standard pager and make it explode is extremely low.
“While there are scenarios in which a device could explode, the scale that we witnessed of this attack would be nearly impossible to execute,” he told TechInformed.
“What’s more likely is that these devices were tampered with prior to being shipped to the recipients, making this a supply chain issue.
“This is further demonstrated now that we’ve heard that walkie-talkies are also exploding; the breadth of devices that have been tampered with proves that what we’re seeing is more likely a coordinated attack on devices rather than a hacking incident,” he adds.
With Reuters reporting that the handheld radios were purchased at the same time as the pagers, another former special FBI agent, Miguel Clarke, backs the physical supply chain attack theory.
Now a cyber sec evangelist at Armor Defense, Clarke adds: “It is being reported that the radios were purchased at the same time as the pagers. Due to US and EU sanctions, selling electronics to Iran or its entities is prohibited.
“The sanctions create a “third party” supply chain risk situation, like what a typical corporation might experience. Sourcing goods and services through a proxy means that the end user will have less control over the process.”
Former ethical hacker Danny Jenkins, now CEO of Florida-based Zero Trust cyber security firm Threatlocker, agrees that a supply chain attack is most likely. “A pager can receive a cellular signal from anywhere so therefore it can receive a detonation signal from anywhere.
“The assumption in this case is that they replaced the battery with a smaller battery and in place of the old battery they packed it with some explosives.
“A shipment was intercepted somewhere; they offloaded the pagers and refitted the pagers with explosives or replaced them with rigged ones.”
“Because a pager is a cellular device it can be used to issue an instruction. It sounds like they sent a message to get the user’s attention and then sent a second message which triggered the explosion,” Jenkins adds.
According to Clarke, as far as the “cyber” side of the problem goes, the coordinated nature of the explosions is evidence of some form of remote code execution.
“There are no reports of accidental detonations which makes me think that the trigger was not a radio detonator, but some type of electronic signal,” he says.
“Typical radios and pagers are constructed from incombustible materials. Circuit boards, or printed circuit boards (PCBs), are generally made from materials that are designed to be flame-resistant.
Clarke adds that radio and electronic signals lack the energy to convert flame-retardant fibreglass and epoxy resin into explosive material.
If anything, circuit boards might burn, he says, but not explode. The security expert uses the example of Samsung’s Galaxy Note 7 battery issues as a case in point: “Reports of exploding batteries were the result of the 3500mAh battery catching fire which could result in a low power explosion.
“Low explosives burn at a slower rate than the speed of sound. High explosives detonate at a rate greater than the speed of sound. The high number of explosions and the comparatively low number of casualties also point to the use of a small, high explosive being used,” says Clarke.
In terms of pinpointing whereabouts in the supply chain the exploding devices were tampered with, Marrè believes this could have occurred prior to being shipped to the recipients.
“This is further demonstrated now that we’ve heard that walkie-talkies are also exploding – the breadth of devices that have been tampered with proves that what we’re seeing is more likely a coordinated attack on devices rather than a hacking incident,” he says.
Jenkins suggests that if they were not tampered with at factory level, then it may have been en route to Lebanon.
“It’s fairly common to intercept ships in the Middle East, so it doesn’t seem unreasonable that a ship was intercepted, and the pagers were either tampered with or even replaced,” he says.
According to reports in the FT and The New York Times, the pagers were issued by Taiwanese company Gold Apollo but the owner has since claimed that this particular batch was manufactured by Budapest factory BAC – with which it had a long-standing licencing agreement.
By whatever means these devices were hacked, Jenkins questions why the attackers chose to make them explode – rather than planting tracking or listening devices, which would have been far more useful for gathering intelligence.
“I don’t want to get too much into the politics of it all, but it seems like a hell of an operation to kill 12 or so people, it seems more like they wanted to make a statement.”
So, should civilians and critical infrastructure organisations be concerned about state or non-state bad actors carrying out a cyber attack on personal mobile devices?
The answer is both ‘yes’ and ‘no’. Geopolitically and supply chain-wise, these attacks are concerning as they highlight several vulnerabilities that may have previously been overlooked.
Referring to the Golden Apollo devices, Taiwan government officials and industry experts have confirmed that devices assembled in Europe or the Middle East would still have had to source most components from Taiwanese- or Chinese-owned companies.
It highlights the complexity of technology supply chains, which span tens of thousands of often small Taiwanese businesses. Many of them are run by founders, people with ample experience in running factories in China or Vietnam, but with little understanding of cross-border security issues or export control rules.
For Clarke the attacks are indicative of a new breed of attacks that mix the physical with the cellular as well as the digital.
“As time passes, I think you will see fewer “pure cyber” attacks. MGM’s ransomware attack from 2023 is a very good example. That breach involved humans making telephone calls to gain electronic access.
“As technical controls get more and more sophisticated, attackers will need to augment their technical efforts with human interventions.”
Clarke cites an incident where a small piece of malicious code was able to cause severe physical damage, blowing up a 27-ton generator. This case, he adds, emphasises the potential danger of cyberattacks on industrial systems, illustrating how even minor coding actions can have catastrophic real-world consequences.
Another worry is that the Lebanon pager attacks also signal a new wave of warfare in the Middle East that is impacting civilians as much as it is soldiers in this soon-to-be-year-old Israel-Hamas-Hezbollah conflict.
However, according to Marrè , our smartphones are safe for now. “While this does bring up fundamental questions about protecting supply chains – we’re fortunate that this kind of attack would be extremely difficult to perform at scale on standard devices,” he says.
Subscribe to our Editor's weekly newsletter
Share
