Friday, September 20, 2024

From Pager to Bomb: Examining the Feasibility of Remote Explosions


You might have heard about the recent pager explosion in Lebanon (a Middle Eastern country in Asia), where around twelve people were killed and over 2,800 were injured, including 400 in critical condition. This happened on September 17, 2024, around 3:30 PM, when thousands of pagers used by members of Hezbollah (an Islamist political party and militant group) exploded over about an hour. 


It really got me wondering what exactly happened and whether it’s possible to overheat pagers remotely without any physical contact.


So, I did some digging. Let me start with the basics.

What is a Pager?

A pager is a wireless device that sends and receives short messages, either one-way or two-way, mainly using radio signals. 

While they were super popular in the 1980s and 1990s, pagers are still used today, especially in fields like healthcare. They allow medical staff to stay in touch during power outages or network failures. You’ll also find them being used by firefighters, police, military intelligence, and in nuclear plants, where they help avoid communication issues caused by electromagnetic interference.

Understanding Pagers: A Look into Their Technicality, Usage

  • Functionality: Pagers work by using narrowband radio frequencies to pick up signals from a central transmitter. These signals carry encoded messages that the pager decodes and displays for the user.

  • Components: A typical pager has four main parts: a receiver, a decoder, a display screen, and a battery. Each pager is assigned a unique cap code linked to a specific phone number. When you call that number and send a message, the pager receives it and displays it.


What do we know about the incident?

Hezbollah ordered around 5,000 pagers from Taiwan's Gold Apollo which were manufactured by Hungary-based BAC Consulting Company, These pagers were destined for Lebanon. During the shipment process, at some point along the way, the shipment was intercepted and tampered with the pagers. They discreetly altered the internal components. This modification was done so subtly that it went unnoticed. Once the changes were made, the altered pagers were quietly sent back to Hezbollah as if nothing had happened.


At 3:30 pm in Lebanon, pagers received a message seemingly from Hezbollah’s leadership, but it activated and triggered explosives instead. The devices were programmed to three beeps before detonating. The explosives, reportedly as little as three grams, were strategically placed next to the battery in each pager. A remote-trigger switch was also embedded, allowing for the detonation of the pagers.


Labels seen on fragments of exploded pagers point to a pager model called the Rugged Pager AR-924.


Various theories are circulating online explaining how the attack occurred:

  • A security source suggested that someone planted explosives in 5,000 Taiwan-made pagers ordered by Hezbollah months before the blasts.

  • One theory posits that a specific cap code was programmed into the pagers to trigger the explosives when the signal was sent, leading to simultaneous detonations.

  • Some speculate that the pager radio network may have been hacked, sending a message that activated the modified pagers.

  • Al Jazeera mentions that thermal runaway from overheating lithium batteries could cause explosions, though triggering this in multiple offline devices is highly complex.


Rugged Pager AR-924


Searching for the AR-924 on Gold Apollo's website shows a '403 Forbidden' error, meaning the page exists but is blocked. However, it was accessible via Wayback Machine. The AR-924 pager uses a lithium battery.

The device is highly configurable, allowing frequencies, capcodes, and screen displays to be adjusted via USB or manually, with customizable timeouts for various functions. Maintenance is simplified with replaceable components like the battery, vibration motor, display, and silicone seal. Technically, it operates on UHF frequencies (450-470 MHz), supports POCSAG code format, and holds 30 messages, each with 100 characters. It has excellent water resistance (IP67), a high-resolution backlit display, and offers up to 85 days of battery life with USB-C charging. The pager is CE approved and can be tailored to multiple languages.


These devices operate via radio messaging, using the POCSAG radio transmission protocol, which provides a broader coverage.


Possible Theoretical Security Analysis of Pager

If an attacker aimed to send a message, three beeps and cause an explosion through a pager, they would need to exploit specific vulnerabilities related to signal processing, physical tampering, and remote activation. Here are some key vulnerabilities that could theoretically enable such an attack:

1. Signal Manipulation (RF-Based Attacks):

  • Capcode Spoofing: Each pager is assigned a unique capcode, which it listens for on the radio frequency. An attacker could spoof the capcode, sending a signal to multiple devices at once. If the pager had been pre-rigged with explosives, this signal could trigger the explosion.

  • Replay Attacks: By capturing a legitimate activation signal (such as a beep or alert message), an attacker could resend it to multiple devices to trigger the same action.

  • RF Signal Hijacking: If the pager’s signal is unencrypted or poorly encrypted, attackers could hijack the signal and inject malicious messages designed to activate any rigged component in the pager.

2. Pre-Installed Explosive Mechanism:

  • Physical Tampering: For a pager to explode, it would need to have been tampered with beforehand—implanted with explosives that can be triggered via a specific signal. This means the vulnerability would lie in the supply chain or production process where the explosive device is hidden in the pager.

  • Remote Detonation via Radio Signal: If the tampered pager contains a remote-detonation mechanism, an attacker could send a specific signal (via paging network or RF transmission) that triggers the explosive material inside the pager. The pager itself might still function normally until the specific detonation signal is received.

3. Weak Encryption or No Encryption:

  • Unsecured Transmission Channels: If pagers are operating on unsecured or outdated encryption methods, attackers could gain access to the communication channel and send malicious messages to specific pagers. This would be crucial if the pagers are configured to respond to specific instructions that could lead to detonation.

4. Software Vulnerabilities:

  • Malicious Firmware Update: If an attacker has access to the device during production, they could upload custom firmware designed to activate the pager when a particular message is received. If the pager is tampered with and contains explosives, this firmware could control the timing and conditions under which it explodes.

  • Trigger Via Message Payload: An attacker could embed a malicious code or signal within the payload of a message that interacts with the altered hardware of the pager, causing the explosive to detonate.

5. Supply Chain Exploit:

  • Hardware Trojans: Malicious alterations during the production process could allow attackers to plant triggers inside pagers that activate when they receive certain signals. These triggers could be detonated by an external paging signal, resulting in the pager’s explosion.

6. Overheating-Induced Explosion (Less Likely):

  • Thermal Runaway: While unlikely, if a malicious signal was designed to exploit weaknesses in the device’s power regulation (such as triggering excessive heating in its battery), this could theoretically cause an explosion. However, it would require significant knowledge of the device's internal electronics and is more complex compared to simply tampering with the device to plant explosives.

These vulnerabilities would likely require a combination of physical tampering (i.e., pre-installing explosives in the device) and signal manipulation (e.g., triggering the explosive via a radio frequency signal or message). This is not purely a software or radio frequency issue but a highly complex attack involving both cyber and physical aspects, with significant technical skill needed for execution.

Coming back to our main Question: Is it Possible to Hack Pagers and Cause an Explosion Remotely?


Ultimately, while the idea of remotely hacking pagers to trigger explosions is intriguing, the complexities involved suggest that it is unlikely. The successful implantation of explosives in devices like pagers requires advanced technical skills and physical access during their production or supply chain process.


In this scenario, while the theories suggest possible methods for triggering an explosion via hacked pagers, the practical execution would face significant challenges. Specifically, successfully implanting explosives, programming them to respond correctly, and hacking a secure radio network would require advanced capabilities and resources. Moreover, triggering thermal runaway in multiple offline devices remotely adds another layer of complexity. Therefore, while it's a topic of speculation, the actual feasibility of such an attack remains questionable.


However, this incident reveals a major security breach within Hezbollah, highlighting significant vulnerabilities in their security due to the failure to detect the pager explosions.

Does it point to Supply Chain Attack rather than pure cyberattack?

Yes, It could be considered a supply chain attack. In this context, a supply chain attack involves compromising a product or device during its manufacturing or distribution process. If the pagers were altered before reaching their intended recipients—such as by embedding explosives or programming them with malicious code—this would align with the characteristics of a supply chain attack. Such tactics can exploit vulnerabilities in the manufacturing process, creating significant security risks for end-users and organizations relying on these devices.

Conclusion


In conclusion, the explosion of pagers in Lebanon highlights serious security gaps in how electronic devices are made and delivered. The complexity of tampering with these devices suggests a carefully planned operation, rather than just a simple hack. This incident shows the need for better security measures throughout the entire process of manufacturing and shipping technology. As threats change, it's crucial to improve oversight and protect against tampering to keep everyone safe.


Let me know your thoughts in the comments.

References

https://www.youtube.com/watch?v=a_aSCZwbtsU

https://web.archive.org/web/20240917203438/https://www.gapollo.com.tw/rugged-pager-ar924/

https://www.livemint.com/news/world/3-gms-rdx-in-pagers-beeps-how-israels-mossad-orchestrated-deadly-simultaneous-explosions-in-lebanon-11726648573668.html

https://www.cbsnews.com/news/hezbollah-pagers-explode-israel-taiwan-hungary-gold-apollo-bac-consulting/

https://www.bbc.com/news/articles/cz04m913m49o

https://www.newsweek.com/hezbollah-exploding-pagers-model-bac-ar-924-explained-1955542

https://www.raveon.com/pdfiles/AN142(POCSAG).pdf

https://www.politico.com/news/2024/09/19/pager-attacks-supply-chain-warfare-00180136

https://www.bbc.com/news/articles/cew12r5qe1ro

https://economictimes.indiatimes.com/industry/cons-products/electronics/pager-blasts-are-mobile-phones-vulnerable-too/articleshow/113500611.cms?from=mdr

https://frontline.thehindu.com/news/lebanon-hezbollah-cyber-attack-pager-explosions-warfare-israel-gaza/article68654302.ece

https://www.indiatoday.in/world/story/how-hezbollah-pagers-rigged-exploded-details-israel-mossad-lebanon-explainer-3-steps-detail-mossad-spy-agency-petn-explosive-2601913-2024-09-18

https://www.indiatoday.in/world/story/lebanon-hezbollah-pager-explosions-israel-supply-chain-attacks-2601838-2024-09-18

https://www.business-standard.com/world-news/what-are-pagers-why-are-they-still-being-used-to-communicate-by-people-124091800424_1.html

https://timesofindia.indiatimes.com/world/middle-east/pager-explosions-in-lebanon-what-you-need-to-know-about-the-devices-and-why-are-they-causing-chaos/articleshow/113434438.cms

https://www.theguardian.com/world/2024/sep/18/hezbollah-pagers-what-do-we-know-about-how-the-attack-happened#:~:text=The%20source%20said%203%2C000%20of,with%20before%20they%20reached%20Lebanon

https://www.livemint.com/companies/news/lebanon-pager-blasts-budapest-based-bac-consulting-kft-under-scrutiny-5-key-facts-about-the-company-11726649234376.html

https://www.theweek.in/news/world/2024/09/18/lebanon-hezbollah-pagers-blast-why-europe-based-bac-consulting-used-middle-eastern-bank-to-pay-gold-apollo.html

https://www.forbes.com/sites/siladityaray/2024/09/18/what-we-know-about-the-exploding-hezbollah-pagers-including-who-manufactured-the-devices/

https://www.france24.com/en/middle-east/20240918-israel-planted-5-000-pager-explosives-months-before-deadly-blasts-lebanese-security-sources-say

https://ieeexplore.ieee.org/document/7382381

https://www.mdpi.com/2624-831X/5/2/18

https://www.trtworld.com/middle-east/what-does-ar-924-pager-tampering-tell-us-about-the-tech-supply-chain-18209811

https://indianexpress.com/article/world/walkie-talkies-hezbollah-explode-across-lebanon-capital-9574604/