‘Absolute spy novel’: Rigging pagers to explode is no simple attack
By Tim Biggs
About 3.30pm local time in Lebanon on Tuesday, pagers started exploding. The devices – more modern versions of the kind that many businesspeople used to receive messages before the advent of mobile phones – appear to have been hijacked in a targeted attack against Hezbollah, the Iran-backed militant group.
The blasts injured thousands, and killed at least nine, including a child.
Modern pagers (similar to that pictured inset) were made to explode, injuring Hezbollah fighters and others.Credit: AP / Supplied
Lebanon’s foreign ministry called the explosions an “Israeli cyberattack”, backing up a widespread but unproven assumption that the attack was the work of Mossad. Here’s how such an attack may have been carried out.
Why were pagers targeted?
Hezbollah fighters had reportedly begun using pagers as a low-tech means of communication, after growing concerned that Israel’s famously world-leading cybersecurity force could use smartphones to track fighters or even guide missiles and drones. Having learnt of this, the attacker appears to have tampered with a shipment of pagers, knowing they were bound for Hezbollah fighters.
Targeting personal belongings that targets are known to use is a very common practice in this kind of warfare and, in the past, bombs have been attached to phones, radios and cars, triggered to blow when a certain function is initiated.
Israel itself is known to have used a Motorola phone to kill a target in the 1990s (as covered in the book Rise and Kill First by Ronen Bergman), and a landline phone to injure a target in the 1970s.
In this case, the pagers appear to have created far smaller explosions than either of those two examples, but the added complexity this time is that many devices went off at the same time. Since these are devices that are very likely to be held in the hands or pockets of the targets, that’s still a hugely damaging attack.
How were the pagers tampered with?
Social media was, predictably, filled with security people discussing this very question. Could such simple devices have been hacked to somehow explode? Did they have some design flaw that allowed someone to send a message that caused the battery to overheat and enter thermal runaway?
Cybersecurity architect Jace Powell, a former counter-IED instructor, said his immediate suspicion was less complicated; a bomb planted in each device. Video of the attacks, and photos of devices following the attacks, seem to support this. Thermal runaway creates burning, popping, hissing and smoke before the battery catches fire and becomes a very hot and hard-to-extinguish flame ball. This attack appeared to feature a small, unexpected concussive force.
“I highly doubt these pager explosions were due to batteries alone. Lithium-ion batteries just don’t have the energy density to produce the observed blast effects,” Powell said.
“My guess is a small plastic explosive payload was inserted in the supply chain. The really interesting part is the detonation mechanism, both software and hardware.”
The New York Times cites anonymous officials as saying that a small amount of explosive material was inserted next to the battery in each pager, along with a switch that could be triggered remotely.
How were they exploded?
According to various reports, the pagers received a message and beeped several times before exploding, which could be part of the design of the attack (i.e. to make sure the pager’s owner was holding and looking at the device when it blew up), but could also simply be the result of the trigger.
Reuters cites sources, including “a senior Lebanese security source” as saying the tampered pagers not only contained explosives but a special circuit board used as a switch. When the board received a specific signal, which would be embedded in a message sent to the pager, it would cause a heat source significant enough to detonate the explosives.
“One thing we do know is that each of these devices has cellular connectivity, so you do have a remote trigger built into the device by design. The question is: how do you execute that trigger?” said Troy Hunt, an Australian security researcher.
“You would have to imagine then that this is a combination of not just hardware but software as well [being implemented in the attack], to be able to near simultaneously set all these things off at once.”
An ambulance carries wounded people in Beirut.Credit: AP
What brands were targeted?
The pagers reportedly carried the brand of Gold Apollo, a Taiwanese company, and some people online claimed the pagers were specifically a model called the AR924, which is marketed as a rugged design with long battery life.
However, in a statement to Reuters, Gold Apollo denied that it had made the pagers.
A shipment of pagers was reportedly ordered by Hezbollah months ago. It’s unknown how or when they were tampered with, with some on social media theorising that factory staff could have been bribed to insert the explosives during manufacturing.
Are pagers dangerous?
There are no indications so far that any pagers outside the shipment sent to Hezbollah have exploded or are at risk of exploding. Assuming the detonations are the result of physical tampering and not exploiting a flaw in the device’s regular hardware or software, it would seem unlikely any pagers outside that shipment are affected.
However, the attack is a reminder that an entity sophisticated and well-funded enough can weaponise just about any electronic device. Even security research published openly has detailed methods of igniting phone chargers and other devices, though not in as complex a situation as the one in Lebanon.
Hunt speculated the amount of co-ordination and planning that must have gone into the pager attack would have been massive, likening it to the Stuxnet cyber weapon that took down certain systems related to nuclear facilities while leaving others unharmed.
“How ironic is it, to not use a smartphone in case someone might use your messages, to use a pager instead, and then it blows up. It’s absolutely fascinating” he said.
“I hope one day we get the details about how all this worked. It’s just going to be one of those absolute spy novel kind of stories.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.