Death by Remote
Death by Remote
The recent cyber-physical attacks in Lebanon, involving exploding pagers and walkie-talkies, heralds a new age of remote assassinations
Israel just conducted the most spectacular cyber-physical twin sabotage in history.
In the first such attack, at 3:30 pm on Wednesday Sept 17, thousands of encrypted pagers carried by Hezbollah operatives across Lebanon, Syria and Iraq exploded simultaneously, killing at least a dozen individuals, including two children at the time of writing. A day later, hundreds of walkie-talkies used by the militia exploded at the same time, and they were apparently potent enough to set fire to an apartment and a car. More than a dozen individuals were reportedly killed in the second incident.
More than 3,000 individuals were reportedly wounded in both attacks. This figure probably includes those injured in Syria and Iraq.
Just how were these audacious attacks executed? According to preliminary reports, the Mossad had intercepted a new shipment of Hezbollah-bound pagers about five months ago, and duly planted nearly 20 gm of PETN, a highly explosive material, on its lithium ion batteries along with malware that would cause heat surges upon activation. The pagers and walkie-talkies were activated simultaneously — on consecutive days — to ensure that it would be the owners i.e. Hezbollah operatives who would be the ones picking them up. This would ensure maximum casualties. Some of them however threw away their devices upon sensing an unusual heat surge.
Many news outlets erroneously termed these events as “cyberattacks”. Technically, this is incorrect as pagers and walkie-talkies, unlike smartphones, do not rely on Internet-based networks or cellular transmissions. Pagers use radio-based broadcasting systems and relay systems while walkie-talkies rely on direct radio communications. These are less sophisticated devices which do not involve the complex network infrastructure associated with cellular devices. Since the affected pagers had some level of encryption, they would have had a software component, unlike the walkie-talkies. Rigging the pagers would involve software and hardware manipulation or substitution while only the hardware needs to be tampered with in the case of walkie-talkies. A preprogrammed message or signal would activate these devices into mobile bombs.
Therefore, the correct terminology for these attacks would be cyber–physical attacks. These merge the digital and physical worlds, using cyber means to cause tangible harm.
Shocking Security Lapses
Most pagers today are Made in China but apparently the AR-924 model ordered by Hezbollah came from the Budapest-based BAC Consulting KFT which has a licence from Taiwan’s Apollo Gold to manufacture and market them under the latter’s brand name. According to the Guardian, BAC Consulting is helmed by Cristiana Bársony-Arcidiacono who was known for her pro-Russian, anti-Ukrainian posts on LinkedIn. That would have been the perfect hook for an organisation like Hezbollah.
Some experts claim that these devices were tampered with at source i.e. the assembly plants. This would suggest official collusion with the host country where the plant is located i.e. Hungary. The more likely scenario is that shipments of these devices may have been intercepted and substituted with rigged facsimiles during transit or in a warehouse.
It could have been pulled off by Israeli Mista‘arvim operatives, guised as mercantile Hezbollah die-hards who acted as intermediaries. Massive discounts and kickbacks, interspersed with de rigueur appeals to jihad, would have sweetened the deal. There are many possibilities here. Never trust die-hard fanatics, particularly jihadi types, as they almost always end up working for the other side, sometimes unknowingly.
This is not the first time Israel had rigged a remote communications device into an assassination tool. On Jan 5 1996, Yahya Ayyash, the chief bombmaker of Hamas, was taken out by a booby-trapped mobile phone planted by Israel’s internal security service, the Shin Bet. As is usually the case with a fractious Middle East plagued by disunity and betrayal, the phone was handed over to Ayyash by a close “family friend”.
Hezbollah would have been aware of Israeli shenanigans with tampered facsimiles. Its commanders may have also read Victor’s Ostrovsky’s By Way of Deception which recounted the various ingenious methods the Mossad had employed to subvert the Islamic world’s security infrastructure. (Ostrovsky was an ex-Mossad agent turned whistleblower).
The recent attacks also exposed a shocking security lapse on the part of Hezbollah. It is a universal security protocol to subject samples of sensitive shipments to intense scrutiny before distribution. The pagers, in particular, were ordered five months ago. A few of them would have malfunctioned, necessitating repairs. A keen eye would have detected that something was amiss.
The Israelis however would have gamed out this scenario and had probably taken the “least risky-most effective” option — just camouflage the compromised batteries and hope that Hezbollah lacked savvy technicians who could thoroughly deconstruct any sampled devices. My guess is that the batteries in both sets of devices were ingeniously enveloped with PETN. Once the batteries are heated beyond safety thresholds upon remote activation, they will explode.
Here is what a high-end pager battery looks like. (These are furnished for representation purposes only)
This type is relatively easy to rig as it is encased. Only the most paranoid or skilled technician would take it apart for inspection.
Here is another, more common and cheaper type of battery. This type poses unique problems. The explosive ingredient needs to be skillfully papered under the plastic skin of each cylindrical battery inside the generic envelope.
The scarier version is that the battery skins, envelopes or the entire device casings themselves contained the explosive ingredient. This involves a high level of chemical engineering expertise that only a handful of nations possess. Such materials should also be good enough to fool sniffer dogs which I am sure are at the disposal of Hezbollah (dogs are considered unclean in Islam).
Geopolitical Fallouts
There are now fears that Israel’s latest attacks would lead to another full-fledged war with Lebanon before the US presidential elections on Nov 5. A new Middle Eastern war will boost the electoral prospects of the pro-Israel presidential frontrunner, Donald J. Trump.
A lot depends on how many senior Hezbollah commanders were badly injured and the median duration needed for recovery. Israel will not confront Hezbollah head on unless it knows that the incident has degraded a significant chunk of the latter’s senior and mid-tier leadership. Israeli warplanes are already pounding Hezbollah strongholds in southern Lebanon at the time of writing.
Whatever the outcome, the age of remote assassinations has arrived. The Internet of Things (IoT) is now the new global battle space.
IoT and Remote Killings
The IoT revolution and a new generation of Artificial Intelligence (AI) viruses and worms may pose unprecedented risks to critical systems.
For now, "remote assassinations" via IoT involve exploiting vulnerabilities in interconnected devices. Here are a few hypothetical examples:
Smart Car Tampering: An assassin could hack into a target's smart car, taking control of its critical systems such as braking, steering, or acceleration. This could lead to a fatal crash, disguised as an accident.
If you are the cautious type who avoids IoT vehicles and devices altogether, another vehicle with IoT functions could be commandeered to crash into you. You can be located in real time by drones and the growing grid of surveillance cameras. It would be easy for a nation like Israel to hack into centralised Digital ID systems for real-time identification and targeting.
Apart from cars, other modes of transport such as aeroplanes can receive an “update” that will remain benign until it is activated for a fatal crash.
Pacemaker Hacking: If the target has a networked medical device, like a pacemaker or insulin pump, a hacker could remotely manipulate its functions. For instance, they could alter the heart rate or insulin dosage, leading to a fatal medical event.
Smart Home System Manipulation: An IoT-enabled smart home system could be exploited to create dangerous conditions. For example, an attacker could disable smoke detectors while turning on a gas stove or tamper with electrical wiring to start a fire, potentially trapping the victim.
IoT-enabled Security System Override: By hacking into a smart security system, an assassin could disable locks, alarms, and cameras, allowing for a physical attack or break-in by an accomplice without alerting the authorities.
Smart Appliance Sabotage: Household appliances like IoT-enabled ovens, water heaters, or air conditioning systems could be manipulated to create hazardous conditions. For example, a smart oven could be remotely set to overheat, leading to a fire. Refrigerators can be reprogrammed to explode. Due to the appalling quality of design and manufacturing these days, they are already doing so by themselves.
The possibilities here are endless. Chemical and nuclear plants in a hostile nation can be hacked to cause a meltdown — fatal or otherwise. The Israelis managed to ruin nearly one-fifth of Iran's nuclear centrifuges with the Stuxnet computer worm in 2010. Stuxnet works by targeting industrial control systems. According to Kaspersky Labs, unlike viruses, computer worms are more destructive “as they can self-propagate once they have entered a system”.
“Besides deleting data, a computer worm can overload networks, consume bandwidth, open a backdoor, diminish hard drive space, and deliver other dangerous malware like rootkits, spyware, and ransomware.”
While sensitive military installations have multiple built-in redundancies, including manual overrides to prevent disasters, they can be compromised in other ways. The food supplied to these places could be tainted by toxins through a variety of methods, especially during transit. Once again, the possibilities are endless.
Remote assassinations can take a highly-personalised form as well. Can your smartphones be compromised to kill or injure you? An increasing number of people are drifting off to sleep while engaging their smartphones. Many actually end up sleeping over these devices. The deeply somnolent usually place these devices right next to their heads. This is not a good idea as excessive smartphone use, particularly at bedtime, can lead to the Rouleaux effect (red blood cell clumping) and associated medical complications.
Theoretically it is possible to compromise a smartphone’s hardware and firmware limitations and various built-in safety mechanisms. We know that smartphones and laptops can be remotely switched on — even if the off mode — to eavesdrop on or surveil individuals.
These devices are also increasingly purchased online and can be swapped during transit with facsimiles that contain lethal hardware and software components. In the future, will we hear of someone being killed or injured by a smartphone that had “suddenly” emitted a dangerous burst of radiation? Or one that exploded right next to their head? It is possible.
Our supply chains are not secure, contrary to Big Tech claims. Food products, herbal supplements, apparels etc. can all be tampered with once a centralised Digital ID system — operated with Western components — are up and running.
Online purchases may be a cheaper alternative to physical shopping but they remove anonymity and increase the risk of targeted tampering while in transit.
Maybe it is time for some individuals, deemed “problematic by the powers that be, to start wearing kevlar, helmets and visors whenever they handle electronic devices? Or maybe, they should just dial down on the use of IoT devices and reduce the frequency of online shopping?
The runaway addiction to these devices and online shopping constitute a pandemic by itself!
Additional ways you can support my writing
Tip me a ONE-TIME cuppa with Ko-Fi (for as low as a one-time $5 contribution)
Share, restack or quote my posts.
It seems iPhones, laptops and other electronic devices have exploded in Lebanon as well.
https://itc.ua/en/news/not-just-pagers-iphones-laptops-electronic-locks-and-other-devices-exploded-in-lebanon-today/
And here is video of an iPhone being induced to explode.
https://twitter.com/Stephen19718352/status/1836066617190469661?s=19
Every week we are getting a little closer to the Japanese comics I was reading as a teenager – and particularly Masamune Shirow's work. After reading "Startup Nation" ten years ago where they openly bragged of hacking tech. and more recently "War against the people" finding Israel in that space is no surprise either.
The fact that they can pull off such a cunning plan, while always posturing as week and vulnerable, should be a wake-up call to many people.