Security experts join Cybernews to discuss the world’s first-ever cyberattack using handheld analog devices – and the expected trickle-down effect for those living in Western nations.
Yes, it has been just days since Israel’s notorious spy agency is said to have remotely exploded thousands of handheld pagers, walkie-talkies (and even some unconfirmed reports of solar panel energy systems) belonging to members of the Iranian-backed Hezbollah terrorist organization.
The widespread and coordinated blasts on September 17th and 18th ripped through suburban areas of the Lebanese and Syrian capital cities of Beirut and Damascus, leaving more than 4000 wounded and nearly two dozen dead, mostly Hezbollah members, but also innocent civilians caught up in the blast radius.
Cybernews gathered media reports from around the world last week and put together a detailed explanation of what had been known so far about how these successful ‘supply chain’ attacks were allegedly carried out by Israel’s Mossad.
Exploding pagers and other communication devices in #Lebanon among #Hezbollah members today. Recall the public reporting that #Israel has infiltrated the Hezbollah communication networks and that Hezbollah had switched to pagers and couriers after cell phones were banned. pic.twitter.com/AGGVYhE2lC
undefined Jason Brodsky (@JasonMBrodsky) September 17, 2024
Although many questions remain and will be answered in due time, one thing we can be sure of is that these attacks are expected to have a serious impact on our daily lives in the West, especially when it comes to heightening security measures.
But before we dive in, Cybernews quickly recaps how the shadowy Mossad is believed to have taken control of the Hezbollah-destined devices to even carry out the first-of-its-kind analog cyberattack.
The preperation and fall out
Initial reports had believed Mossad agents were able to intercept thousands of already manufactured pagers and walkie-talkies, pack them with explosives and remote switches, and then send them on their way to Hezbollah leadership in Lebanon.
Long-time Hezbollah chief Hassan Nasrallah (unscathed in the attacks) had recently directed members to ditch their mobile phones due to Israel’s capabilities of intercepting communications, facilitating the need for more secure replacement devices.
“Bury it. Put it in an iron box and lock it,” Nasrallah had said to members about cellular phones back in February.
The New York Times had reported that the devices were bulk ordered from the Gold Apollo manufacturing company in Taiwan.
But by late last week, the New York Times expanded its report to reveal that Gold Apollo turned out to be a shell company set up by the Mossad and that the spy agency had actually manufactured the devices themselves, selling them to Hezbollah through an intermediary company (also set up by the Mossad) in Belgium.
Israel’s elaborate scheme, which was said to have been a year in the making, took advantage of a seemingly benign international supply chain. It proved that even the most simple plans (although logistically complex) can be just as effective.
So effective that almost immediately after the highly coordinated and consecutive two-day attack, Lebanon’s National News Agency announced on Thursday that all pager and walkie-talkie devices were banned from all flights taking off from the country’s main airport in Beirut.
This is wild. It's a timelapse of the Beirut skyline earlier today. Look closely and you'll see where the walkie-talkies & radio explosions took place. pic.twitter.com/2QcNNkqtz9
undefined Aviva Klompas (@AvivaKlompas) September 18, 2024
Lebanon’s government further banned any such devices from being shipped by air.
Qatar Airways quickly followed suit, announcing it would abide by the same restrictions on all flights.
“All passengers flying from Beirut Rafic Hariri International Airport (BEY) are prohibited from carrying pagers and walkie-talkies on board flights. The ban applies to both checked and carry-on luggage, as well as cargo, and will be enforced until further notice," the Qatar Airways notice stated.
Not surprisingly, Iran’s Revolutionary Guard Corps (IRGC) also ordered all its members to cease using any type of communication device, Reuters reported on Monday.
Trickle-down supply chain effect
So what can society expect now that pagers and handheld radio communication devices have been used as weapons?
Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, a cybersecurity risk management firm, says that until these attacks, “it was assumed that any pager-sized lithium battery was not powerful enough to cause fatal harm.”
In fact, Tufts says we should “expect anything with a battery and a cell link to have a higher level of scrutiny” – both from a security and manufacturing standpoint.
Still, as with any major disruption, Tufts predicts it will “take several months to fully unpack how this attack was built and the lessons learned.”
When it comes to the supply chain, Tufts explains that the Hezbollah pager attacks will have a definitive impact on how manufacturers approach their Software Development Life Cycle (SDLC).
“SDLC builds that connect into the consumer devices are going to become bigger targets,” Tufts said, pointing out that “Modern manufacturing is just now becoming aware of their attack footprint if they don’t have viable visibility into their process and vendors."
Tufts explained that in the 1990s, once software code was built, it was considered a done deal as soon as the device was in the client's hands, but now, a manufacturer is on the “reputational” hook for a device's life span.
“Consumers will want to know a product is safe at the time of purchase and into their pocket," he said, adding that a manufacturer "having ways to verify if a product is still safe will become an expectation."
This will undoubtedly include the Software Bill of Materials (SBOM) – as well as audit rights of the incoming products, Tufts noted.
“‘I did not know C4 was in the product’ is no longer a viable excuse,’ Tufts said of the manufacturing supply side.
For reference, the SBOM is a list of all the components that make up software. It is necessary to bolster software security and supply chain risk management. According to the US Commerce Department, SBOM inventory includes software licenses, versions, and patch status.
The security side effect
Tufts predicts the pager attacks will have an immediate impact on North American and European travel.
Most importantly, Tufts said “we need to understand if our modern scanning equipment would have detected this form of explosive.”
Until this is determined, he said Americans should expect the US Transportation Security Administration (TSA), in charge of security at all US airports – to overcorrect.
“On the whole, TSA is not going to trust any device with a cell antenna for the next 18 months,” he warned. “Lines are about to get longer.”
It’s similar to security changes made after failed shoe bomber Richard Reid was arrested trying to board an American Airlines flight from Paris to Miami barely three months after September 11th.
Additionally, Tufts said that any major physical security company or event will need to reevaluate its posture on electronic devices and rebuild detection capabilities for this type of attack.
He predicts higher levels of security will also become protocol at government buildings, corporations, courtrooms, schools, stadiums, trains, hospitals, and more.
“All will have to edge their security programs more conservatively until a full examination can be complete,” he explained.
“Until Western researchers evaluate the devices and understand if our current scanning equipment would have detected this explosive, everyone will be more conservative, Tufts said.
Will pagers be phased out in certain industries?
Fears about analog attacks may also have an impact on the individuals and industries that rely on pagers and other hand-held communication devices.
“Pagers in the US and Canada are most commonly used by the medical community. Expect changes to that service,” Tufts said.
The palm-sized electronic devices – also referred to as ‘beepers’ – are a vital means of communication for healthcare and emergency services due to their durability and long battery life.
"It's the cheapest and most efficient way to communicate to a large number of people about messages that don't need responses," a senior surgeon at a major UK hospital told Reuters.
The surgeon noted that pagers are commonly used by doctors and nurses across the UK National Health Service (NHS). "It's used to tell people where to go, when, and what for," he said.
The deadliest weapon in the Middle East today. pic.twitter.com/ngWhsDYs3w
undefined WarMonitor🇺🇦🇬🇧 (@WarMonitor3) September 17, 2024
According to UK government statistics, in 2019, the NHS was recorded using around 130,000 pagers.
Besides doctors who are on call or working in hospital emergency departments, pagers can send out a siren and then broadcast a voice message to groups so that whole medical teams are alerted simultaneously to an emergency, one senior doctor in the NHS said.
Furthermore, according to the New Jersey-based online pager retailer and service provider PagersDirect, there are over 2 million pagers in the United States in use today.
“Many secure facilities do not allow cell phones for various reasons. Government buildings, prisons, and other high-security buildings need to protect their property, and cell phones are prohibited,” the company said.
Pagers “rarely suffer from congestion and work even in times of natural disasters,” unlike their cellular counterparts, PagerDirect said, citing nearly a dozen “entire industries” that still use the devices “as a cost-effective way to manage urgent and critical alerts and messaging.”
Although a tiny fraction of the global smartphone market, in 2023, the pager market still generated about half a trillion US dollars worldwide, with the two biggest markets being North America and Europe.
The company says pager services are still used for and by IT server alerts, alarm systems, building automation systems, real estate management and maintenance, landscaping, snow removal, towing Services, automated car wash equipment, casinos and hospitality resorts, parking attendants, security, and law enforcement.
It remains to be seen if the attacks will impact these industries, if these devices will become a staple for covert attacks, or just a one-off now that the damage has been done.
Your email address will not be published. Required fields are markedmarked