Updated September 18: The pagers, reportedly made under licence to Taiwan's Apollo by a Budapest-based company called BAC, are widely reported to have been interdicted and packed with 1-3 grams of high explosive, which was triggered by a custom message.
Israel’s cybersecurity chops are world-class and destroying centrifuges with a worm or other cyber-physical activities are within its range of capabilities: But hacking Hezbollah pagers to make them explode?
A "pure" cyber attack is pretty implausible, most cybersecurity experts seemed to agree on Wednesday – as news broke that several thousand Hezbollah members had been wounded with at least nine people killed, after the pagers they use to communicate detonated across Lebanon.
Over 2,800 were injured, Lebanon’s health ministry told local press on Tuesday, as videos spread like wildfire showing the moments the pagers exploded.
Was it conceivable that Israel’s creative security services had found a way to hack the pagers and detonate lithium-ion batteries, many wondered?
(“The pysop value of literally everyone left asking themselves that same question is pretty wild” as Bugcrowd CSO Casey Ellis noted.)
See also: Chinese hackers masqueraded as Iran to attack Israel: Mandiant
“Rise and Kill First”, a 2018 book by Ronen Bergman about Israel’s history of targeted killings refers to a case in which a “fifty-gram explosive charge with a remotely triggered detonator” was placed in a target’s phone.
Doing that at the scale of thousands of devices represents a potentially hugely complex supply chain interception – but this seems most likely, cybersecurity experts agreed as the story evolved today; potentially involving the compromise of batteries to include explosives in them.
Three Lebanese sources told Reuters that the radios that exploded on Tuesday were a modern model recently purchased by Hezbollah; according to other reports, the devices heated up before exploding.
UPDATED: The models were identified as being the AR-924 model of pagers with Gold Apollo branding. As the Taiwanese company's offices were inundated with reporters, the firm's founder Hsu Ching-Kuang said the devices were made under licence in Europe by a firm called BAC, which is based in Hungary.
“I don't think this is a hack. Making batteries do anything more than burn is very hard and implausible. Far more plausible is that somebody bribed the factory to insert explosives” said Robert Graham, a security professional who created popular open source tools, such as Masscan.
“My money is on explosives” agreed John Hultqvuist, an Army veteran and chief analyst at Google’s Mandiant Intelligence, posting on X.
"The Mossad injected a board inside of the device that has explosive material that receives a code. It's very hard to detect it through any means. Even with any device or scanner," a Hezbollah source told Reuters.
The Stack reviewed the literature for case studies of security researchers who have tried to remotely explode smartphones/batteries then cheerfully publish their findings. This is, we found, a very niche space; mostly, if not entirely, populated by speculative work or absolute garbage.
A little earlier this year a team of researchers from from the University of Florida did publish research about making wireless chargers remotely initiate hazardous power transfers; research that saw them blow up a car’s key fob (“the key fob didn’t merely over-heat. Instead, it detonated and caused the disintegration of the device in an explosive display”) but Hezbollah’s friends were not all standing charging their pagers on wireless chargers when the incident happened and it seems a tenuous link at best.
See also: 20,000 Fortinet devices breached by Chinese hackers – reboots, firmware updates no defence
“Some reports including seeing body parts flying post-explosion…don’t think that’s within the capabilities [of] an overheated battery” as AWS Cloud threat intelligence leader David Oxley posted on X today.
Hezbollah said in an earlier statement on Tuesday as reported by Al Jazeera that two of its fighters and a girl were killed as “pagers belonging to employees of various Hezbollah units and institutions exploded.”
One Hezbollah official, speaking to the outlet on the condition of anonymity, described it as as “biggest security breach” the group has experienced in nearly a year of military contact with Israel.
Lebanon’s Information Minister Ziad Makary condemned “Israeli aggression” – becoming the first official to directly blame the country.
Reuters reported in July that in a bid to evade cybersecurity risk Hezbollah had resorted to widespread use of personal couriers and pagers.
Hezbollah has also been using a “private, fixed-line telecommunications network dating back to the early 2000s” it cited three sources as saying.
If the pagers were packed with explosives, this network could potentially have been compromised to deliver the detonating signal.