In a coordinated and deadly attack, pagers used by hundreds of Hezbollah members exploded almost simultaneously across Lebanon on Tuesday, killing at least nine people and injuring thousands more, according to officials.
Both Hezbollah and the Lebanese government have pointed to Israel as the orchestrator of what appears to be a highly sophisticated remote strike.
A U.S. official revealed that Israel had briefed the United States following the operation, which involved small amounts of explosives being secretly planted inside the pagers and then detonated.
The official, who was not authorized to discuss the matter publicly, provided insight into the complex nature of the attack, which has left the region on edge and raised concerns of further escalation.
The first wave of explosions erupted across Beirut and other parts of Lebanon at approximately 15:45 local time (13:45 BST) on Tuesday. Witnesses described seeing smoke emerging from people’s pockets, followed by small explosions that sounded like a mix of fireworks and gunshots.
According to the New York Times, which cited U.S. officials, pagers used by Hezbollah members received messages that appeared to come from the group’s leadership but instead triggered the devices to detonate. The explosions continued for about an hour after the initial blasts, according to Reuters.
As the blasts subsided, hospitals across Lebanon began receiving a flood of casualties, with witnesses describing chaotic scenes in emergency rooms.
What Do We Know About the Devices?
The pagers that detonated during Tuesday’s blasts were of a new brand previously unused by Hezbollah, according to an operative speaking to the AP news agency. A Lebanese security official informed Reuters that approximately 5,000 pagers had been brought into Lebanon about five months ago.
Labels found on fragments of the exploded pagers identified them as the Rugged Pager AR-924, manufactured by Taiwan-based Gold Apollo. However, the company has denied any involvement in the explosions. When the BBC visited Gold Apollo on Wednesday, local police were at the scene, inspecting documents and questioning employees.
Lithium Isn’t the Culprit
Tom Exelby, an ex-military security expert who now heads up cyber security at Red Helix, speaking of the speculation around lithium-ion batteries being the culprit, says: “Triggering thermal runaway in lithium-ion batteries requires temperatures to run above 150 degrees centigrade.”
Whether or not it’s possible to trigger this remotely remains to be seen, so it’s unlikely to cause a similar impact to what happened yesterday, says Exelby.
From what we know so far, it appears that pagers packed with explosives were used, rather than a cyber attack as we tend to think of them. “However, the suspected use of mobile cellular networks for triggering the devices shows that it is possible to use publicly available digital infrastructure to carry out nefarious acts.”
Lithium-ion batteries found in small consumer devices cannot release their chemical potential energy fast enough to cause the type of concussive explosion that’s being widely reported in pagers at the moment, Exelby explained.
He says that due to the rise in cybercrime and our reliance on connected devices, industry mandates for device manufacturers (like the PSTI Act) are in place to better secure connected devices before we, as consumers and employers, can buy them.
Compromised Supply Chain
More recently, technology has become more widely accessible for manufacturers to test the security resilience of devices against threats. However, given what the world saw yesterday, with thousands of pagers being used as bombs, it seems less likely that attempts to interfere with battery management systems would take place due to their lack of ability to cause major disruption.
It would appear that thousands of pagers packed with explosives were used in the attack. To achieve this, the supply chain of these devices was probably compromised.
To target a specific organization, it is likely that the devices were ordered in bulk to arrive at a known set of addresses. In a situation where the supply chain is highly compromised, a smartphone could be used to deliver a similar style of attack. However, this isn’t likely, given the ability to target individuals accurately through publicly available retail channels.
It is unlikely that this style of attack will become more common due to its sophisticated nature and its ability to accurately target people. However, this could be a wake-up call to tech manufacturers to confirm the security of their supply chains, Exelby ends.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.