Mastodawn

Matt Blaze Sep 17, 2024

Current reporting from NYT and others (gift link: https://www.nytimes.com/live/2024/09/17/world/israel-hamas-war-news?unlocked_article_code=1.LU4.yQNN.lrxL0ef79K2O&smid=url-share) essentially confirms the speculation: Supply chain tampering with a new batch of 3000 pagers from Taiwan ordered by Hezbollah, involving adding 2oz of explosive material near the battery. Reports of 2800 injured, implying that essentially all of them went off, apparently nearly simultaneously, suggesting this was not targeting particular individuals (just anyone with a pager in the batch). At least nine deaths so far.

Pagers Explode Across Lebanon in Apparent Attack on Hezbollah

The attack killed 11 people, including a young girl. Officials briefed on the operation say Israeli operatives planted explosives in pagers Hezbollah bought from a Taiwanese company. Israel declined to comment.

The New York Times

Matt Blaze Sep 17, 2024

... The pagers apparently were programmed to beep and then display a message ostensibly from Hezbollah leadership, and then explode, behavior that would encourage users to be in close proximity to the device as it exploded.
...

Matt Blaze Sep 17, 2024

Unclear from reporting how they were triggered. Some possibilities include:

- completely offline (all the compromised pagers were pre-programmed to beep and explode at a particular time)

- a broadcast signal (possibly sent by a high power transmitter controlled by Israel) that all the devices were programed to respond to

- individually addressed messages to each of the pagers (less likely, since that would take a while to go through).

My guess is the first.

Matt Blaze Sep 18, 2024

... The disadvantage (to the attacker) of offline pre-scheduled triggering is that it becomes essentially impossible to scrub or reschedule the attack if something goes wrong or there's reason for delay. So I wouldn't rule out a broadcast signal entirely. Assuming some of the devices survived (duds, etc), I'd imagine there's a lot of reverse-engineering being attempted right now.

Notably, the NYT reporting isn't hedging even slightly on identifying Israel as the source of the attack, though does note that they haven't officially commented.

Matt Blaze Sep 18, 2024

As I've noted elsewhere, one-way pagers (at least the kind that don't explode) are actually a pretty good way for a covert organization to communicate with its members. Unlike cellphones, which are constantly registering with a local tower, pagers don't expose the locations of recipients to the infrastructure or to eavesdroppers. They work by "flooding" - broadcasting all messages over the entire service area, leaving it to the devices to filter out the messages addressed to them.

Matt Blaze Sep 18, 2024

Another note: a supply chain compromise is a very powerful capability, and by using it this way they effectively completely burned it, foreclosing the possibility of future exploitation. Hezbollah (and anyone else who considers Israel an adversary) is going to be *very* careful about how it sources its gear for the foreseeable future. (What else might you do if you could control comms gear of your adversary?) This was likely VERY carefully considered, likely at the highest levels of government.

Matt Blaze Sep 18, 2024

The plot continues to thicken, with another wave of exploding devices reported among Hezbollah members around Lebanon today. This time, it appears to include walkie-talkie-type radios. I've not yet found reliable reports of specific models of radios, so it's hard to even speculate yet on how these might have been triggered - possibly over the air, but also possibly with a pre-set timer.

What's clear is that Hezbollah's supply chain problem is even worse than it seemed yesterday.

Matt Blaze Sep 18, 2024

Note that there are obviously a large number of moral, ethical, and legal questions about this whole operation. I'm focused on the technical, strategic, and logistical issues in this thread, which should not be taken to suggest in any way that I don't think those questions are important or worth probing. It's just not what I'm exploring here.

Matt Blaze Sep 18, 2024

On the latest round of explosions, so far I've found a couple photos of a mangled Icom model V82 walkie-talkie, a discontinued (but still widely available around the world in counterfeited form) commercial analog two-way radio.

But it's unclear if that's the only type of device that exploded today, and it's also possible that the various photos I've seen are all of the same individual radio. Still haven't seen good authoritative reports of the scope and scale of todays wave of explosions.

Matt Blaze Sep 18, 2024

At this point, everyone in Lebanon and Hezbollah has to be wondering what's going to be exploding tomorrow.

Matt Blaze Sep 18, 2024

So I've now seen video and stills of several different exploded radios. All appear to be Icom V82s (or something that looks similar). In all but one case, the battery was missing, and the damage to the radio itself was relatively small, adding credence to the hypothesis that the explosion came from the battery pack. I believe the battery form factor is common to a number of Icom models, including the current ones. So possibly what was compromised was a shipment of replacement batteries.

Matt Blaze Sep 18, 2024

Walkie-talkie radios differ from pagers in several relevant ways here. First, they're larger, and so have room to hide more explosive material; some of the images I've seen show damaged buildings, suggesting larger explosions than we saw with the pagers.

Second, walkie-talkies aren't generally carried around all the time the way pagers are. They typically spend a lot of time off and sitting in a charger, possibly near other radios. This is also consistent with the images of damaged buildings.

Matt Blaze Sep 18, 2024

Icom may not be a household name (well, it is in my household, but I'm a nerd). They're a major manufacturer of two-way and related radio gear for commercial, industrial, public safety, marine, aviation, and amateur markets, based in Japan and marketed around the world. The V82 radio that was apparently exploding is an older, discontinued model, but counterfeit versions of it from various Chinese sources are widely available.

Matt Blaze Sep 18, 2024

In any case, the V82 battery does not have a data connection to the host radio, so that means that (assuming it was the battery pack that exploded) any triggering mechanism was likely self-contained in the battery pack and did not make use of the communications capability of the radio itself. That would mean it was trigged by either an offline timer or a separate receiver/antenna inside the battery pack. If the latter, it would have to be in range of a signal sent by the attacker.

Matt Blaze Sep 18, 2024

Current reporting says at least 20 deaths and 450 injuries from today’s walkie-talkie explosions (this is on top of yesterday’s pagers). The pagers seem to have injured (roughly) a single individual each. The apparently more powerful explosions from the walkie-talkies may have each claimed more victims. So it’s less clear from this how many compromised devices were actually involved today.

Matt Blaze Sep 18, 2024

Notably, yesterday the fact that Hezbollah had recently ordered and received a large number of pagers was immediately reported. There doesn’t seem to be any similar information coming out yet about new radios (or radio battery packs). This might be simply because sources are drying up or haven’t yet spoken, or it might be that today’s attack didn’t exploit Hezbollah’s supply chain in the same way the pager attack did.

Matt Blaze Sep 18, 2024

Important caveats on all this: there’s a lot we don’t know, and much of what we assume we know may be mistakenly or deliberately misleading. In particular, as far as I know, no one has yet reverse engineered or forensically examined (or publicly reported the result of any such investigation) any surviving pagers or radios, which would be very helpful in confirming a lot of these assumptions.

Matt Blaze Sep 19, 2024

Some new details reported in this NYT article (gift link: https://www.nytimes.com/2024/09/18/world/middleeast/israel-exploding-pagers-hezbollah.html?unlocked_article_code=1.L04.bSZU.vUhf54b0cGP_&smid=url-share)

This fills in some gaps, assuming it's accurate (caveat here, given anonymous, presumably motivated sources):

- The pagers were manufactured by a Hungary-based Israeli shell company and used a special battery containing PETN.

- The explosions were trigged in real time, but no details about the specific triggering mechanism.

- No details about how the exploding walkie-talkies worked or how they were inserted.

How Israel Built a Modern-Day Trojan Horse: Exploding Pagers

The Israeli government did not tamper with the Hezbollah devices that exploded, defense and intelligence officials say. It manufactured them as part of an elaborate ruse.

The New York Times

Matt Blaze Sep 19, 2024

... So we know a lot more about the pagers at this point than the exploding walkie-talkies, which appear to have made their way into Hezbollah's hands through a different channel than the pagers. Unclear whether the radios even involved a supply chain compromise, as opposed to, e.g, an insider mole swapping out radios and/or batteries.

Matt Blaze Sep 19, 2024

Hezbollah's scale works against them here. The problem with the pagers was they needed to buy so many of them (3000!) that it was effectively impossible to source them quietly and anonymously within the local economy. Instead, they had to act like a bureaucracy, putting out solicitations and ordering in bulk from suppliers. This exposed them. The seller (Israel) was able to react, attract their business, and deliver rigged devices as part of what appeared to be a normal business transaction.

Matt Blaze Sep 19, 2024

But again, none of this was necessarily how the exploding walkie-talkies were delivered. We don't know much of anything about that yet.

Matt Blaze Sep 19, 2024

Also notable: While Israel isn't saying anything publicly, it apparently did brief the US government on at least the pager operation, and US intelligence officials are "leaking" those details with the press. I don't think for a moment that those "leaks" are unauthorized or causing Israel any particular heartache. It's likely in their interests to have everyone know they were behind this, but also to stop short of admitting it.

Matt Blaze Sep 19, 2024

Lebanese military now doing controlled demolitions of suspect pagers and walkie-talkies, implying that at least some of the sabotaged devices failed to detonate. I would strongly suspect that they aren’t blowing up all of them, but saving a few for (presumably extremely careful) reverse engineering and forensic analysis.

Matt Blaze Sep 19, 2024

After another day, the contrast between the large amount of information known/leaked about the pagers and the paucity of detail about the radios is even more conspicuous to me.

Most of the detail about the pager attack (shell companies, explosives built into batteries, etc) appears to have come directly from Israel, which benefits from advertising that it had this capability now that it's burned. But the radios likely exploited a different channel, probably one they still want to protect.

Michael Gemar Sep 19, 2024

@mattblaze A bit like their nuclear weapons program…

Xenotar Sep 19, 2024

https://en.wikipedia.org/wiki/State_terrorism

State terrorism - Wikipedia

lumpen 🍉 III Sep 19, 2024

@mattblaze seems like a lot of Israeli operations are aimed at showing off their technical abilities, like that hit that pulled in Iran a month or to ago, above and beyond whatever is actually achieved

Rufus J. Cooter Sep 19, 2024

@mattblaze Yeah, I think "scale" is the thing that I take away from this; it's impossible to operate independent "cells" like some 80s/90s spy thriller villain, and also issue RFPs for your procurement needs

Damien Miller Sep 19, 2024

@mattblaze apply this to another large organisation with a complex supply-chain, say, Apple

Cassandrich Sep 19, 2024

@mattblaze This. Using pagers was a backwards-ass security measure in a world where you can have much better untrackable communication with normal general purpose devices everyone carries that aren't suspicious.

Nazani Sep 19, 2024

@mattblaze
What surprises me is that anyone is surprised. The team that tracked down the terrorists who planned the Munich Olympics attack rigged a land line phone to explode when a specific person answered it.

Resistor McResistanceFace Sep 19, 2024

" kill them all and let the God of Abraham sort it out"- Jewish Space Pagers

Crimes against humanity in the name of Israel is anti-Semitic

@mattblaze Maybe it stems from the Hezbollah top brass saying they had to pivot from mobile phones *before* ordering the kit. They could feasibly have interdicted any spare battery shipments for walkie talkies or whatever too. It's probably a couple of hundred at most, so more run of the mill.

Darryl Ramm Sep 18, 2024

I'd have expected an immediate stop to using electronic devices aquired though the organization and careful inspection. But uh nope...

If Israel can track who was killed or injured, and communications around that it may help map the organization structure, of course if they are inside the pagers or pager infrastructure already they may know lots.

AstroMancer5G (she/her)Sep 19, 2024

@mattblaze
Who should be checking their devices for explosives, and how should they do it? Is it still a possibility that devices with hidden explosives in them could be out there?
@mvario

the hatter Sep 19, 2024

@AstroMancer5G @mattblaze @mvario Any competent repairer should be able to pop open a device and spot a worthwhile quantity of explosive taking up space where something else would be. Sounds like the attacker wasn't selective, reviewer could have taken apart 10% of one batch, 1% of other batches. A targeted individual would have a greater cost fraction but organisationally you can target this sort of practice. Even non-destructively, an xray would probably have been enough to spot this.

the hatter Sep 19, 2024

@AstroMancer5G @mattblaze @mvario My first thought was maybe it was a standard big-name pager with a modified plastic shell to keep it hidden from casual inspection - else a couple of misbehaving devices and a bored/curious hezbollah geek may well have popped the lid and realised something was wrong. Building it into the battery was a solid option, especially if they weren't going to be used extensively before being triggered.

spmatich vk3spm

@mattblaze when i think about how much expense and risk is involved to compromise the supply. the fact that only 9 people were killed out of nearly 3000 explosions, and at least one, the 10yo girl, could not have been a valid target. It’s an exceedingly poor outcome. 0.03% kill. But not just that it’s a completely indiscriminate 0.03%. They would have known something like this would be the likely outcome, but they did it anyway. To me it smacks of desperation.

Prabhakar Ragde Sep 18, 2024

@mattblaze There are reports that Israel wanted to use this as part of a coordinated attack on southern Lebanon but was forced to use it prematurely because of Hezbollah suspicions. An offline timer would not be as flexible as they might want/need. They are presumably embedded enough in the area to be within range (not an issue with the previous pager attack).

Choong Ng Sep 19, 2024

@mattblaze Bunnie has a credible breakdown of the engineering required to make a version of this. I would guess in both the pager and radio case the signaling used the host device's radio and firmware mods or bugs.

https://www.bunniestudios.com/blog/2024/turning-everyday-gadgets-into-bombs-is-a-bad-idea/

Matt Blaze Sep 19, 2024

@choong the pagers were custom manufactured.

Michael Slade Sep 18, 2024

@mattblaze Wonder if the battery pack case for the radio is large enough to hold a pager circuit, explosive, and battery, The detonator would be the same as the pagers.

Matt Blaze Sep 18, 2024

@michaelslade almost certainly yes.

David Schuetz ** looking for work **Sep 18, 2024

@mattblaze Tomorrow it's gonna be one modern car whose brake-by-wire fails mysteriously at 60 mph.

Doesn't need to be pervasive, or even repeatable. Just need to sow discord & suspicion.

aardvark Sep 18, 2024

@mattblaze I may store some radios for emergency use away from the house until we get a better sense of how controlled and targeted the supply chain manipulation was.

Heidi Li Feldman Sep 18, 2024

@mattblaze Your focus is very helpful.

Lockpick Extreme Sep 18, 2024

@mattblaze We're the explosive charges in those pagers and radios too small to be noticed in an airport xray?

Matt Blaze Sep 18, 2024

@LockEx Reports about the pagers were "1 or 2 ounces" and "a few grams" of "explosive material" near the battery.

Dave Sep 18, 2024

@mattblaze
ICOM IC-82 handheld VHF transceivers according to

https://www.latimes.com/world-nation/story/2024-09-18/second-wave-of-device-explosions-rocks-lebanon

Second wave of device explosions rocks Lebanon

Lebanon wracked by fresh wave of explosions of booby-trapped communication devices believed to be part of an electronic sabotage campaign against Hezbollah.

Los Angeles Times

Matt Blaze Sep 18, 2024

@_ Maybe. Maybe that's one of several different devices. Conflicting reports.

trog Sep 18, 2024

@mattblaze so uh, if someone lived somewhere else and had happen to bought walkie talkies or pagers in the last couple years, how worried should they be that they might have inadvertently been exposed to this?

Feels like only a couple boxes in the supply chain have to have been shipped to the wrong spot before things get more awful. How do the manufacturers avoid having to do a full recall?

Ravi Nayyar Sep 18, 2024

@mattblaze If Iran and Co now swap out gear, that's (potentially) a golden opportunity for FVEY and Friends to conduct further supply chain intrusions.

Steve Bellovin Sep 18, 2024

@mattblaze Disrupting Hezbollah's communications was undoubtedly one of the goals of the operation—they’d already stopped using cell phones, and now they'll be suspicious of pagers, too.

fmobus Sep 18, 2024

@SteveBellovin @mattblaze and not only pagers. If I were in their position, I would be weary of buying stuff from anyone.

[email protected]Sep 18, 2024

@fmobus @SteveBellovin @mattblaze And it's not only bombs - imagine a component that emits a specific radio signal when triggered. For example a battery that temporarily broadcasts an ID when current draw suggests that a vibration motor is running. I bet this can be hidden in the charging protection of a regular battery.
Or compents that can be disabled from a distance.

Fritz Adalis Sep 18, 2024

@mattblaze
Or somebody thought they were logged in to the test system like those emergency missile alert broadcasts in Hawaii.

Paper Clip Sep 18, 2024

@mattblaze What are the odds of Israel stepping up operations against Hezbollah, with the latter's comms in disarray.

@mattblaze There are reports that the supply chain was compromised during an Israeli visit to Taiwan months ago back in April coinciding with the shipment timeline. If intelligence agencies and nation states can compromise supply chains at the manufacturer level, this is an incredibly dangerous threat and precedent which has opened up a Pandora's box for the future.

axel.Sep 18, 2024

@mattblaze What a stupid waste of intel capability. Imagine the possibilities, when you have compromised the enemy‘s comms gear.

Mark T. Tomczak Sep 18, 2024

@axeln @mattblaze If I get out my red string and pinboard, the conspiracy theorist in me suspects part of the intent is to push them to use other, less-secure communications tools that are more easily compromised and tracked than one-way pagers.

axel.Sep 18, 2024

@mark @mattblaze it now looks like simple disruption together with the walkie-talkies before escalating.

What a shitshow.

KanaMauna Sep 19, 2024

@axeln @mattblaze

My thought exactly. Why kill a few random individuals when one could track and intercept the operations of the organization for months/years? Stupid power flex.

Eleanor Saitta Sep 18, 2024

@mattblaze
It also imposes huge costs on Hezbollah's sourcing operations, though — now that it's been done once, they have to protect their supply chain against it forever, and as they can't launch the attack, the converse isn't true.

Jef Poskanzer Sep 18, 2024

@mattblaze And now, walkie-talkies.