Israel’s Pager Attacks Have Changed the World

BY BRUCE SCHNEIER

Mohammad Zaatari/Associated Press

Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.

Though the deadly operations were stunning, none of the elements used to carry them out were particularly new. The tactics employed by Israel, which has neither confirmed nor denied any role, to hijack an international supply chain and embed plastic explosives in Hezbollah devices have been used for years. What’s new is that Israel put them together in such a devastating and extravagantly public fashion, bringing into stark relief what the future of great power competition will look like — in peacetime, wartime and the ever expanding gray zone in between.

The targets won’t just be terrorists. Our computers are vulnerable, and increasingly, so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.

The core component of the operation — implanting plastic explosives in pagers and radios — has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That’s what all of those airport scanners are designed to detect — both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.

The second component, assassination by personal device, isn’t new, either. Israel used this tactic against a Hamas bomb maker in 1996 and a Fatah activist in 2000. Both were killed by remotely detonated booby-trapped cellphones.

The final and more logistically complex piece of Israel’s plan — attacking an international supply chain to compromise equipment at scale — is something that the United States has done itself, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it, not for destructive purposes but for eavesdropping. We know from a Snowden document that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn’t the agency’s only operation of this type.

Creating a front company to fool victims isn’t even a new twist. Israel reportedly created a shell company to produce and sell explosive-laden devices to Hezbollah. In 2019, the F.B.I. created a company that sold supposedly secure cellphones to criminals — not to assassinate them, but to eavesdrop on and then arrest them.

The bottom line: Our supply chains are vulnerable, which means that we are vulnerable. Anyone — any country, any group, any individual — that interacts with a high-tech supply chain can potentially subvert the equipment passing through it. It could be subverted to eavesdrop. It could be subverted to degrade or fail on command. And, although it’s harder, it can be subverted to kill.

Personal devices connected to the internet — and countries in which they are in high use, such as the United States — are especially at risk. In 2007, the Idaho National Laboratory demonstrated that a cyberattack could cause a high-voltage generator to explode. In 2010, a computer virus believed to have been developed jointly by the United States and Israel destroyed centrifuges at an Iranian nuclear facility. A 2017 dump of C.I.A. documents included statements about the possibility of remotely hacking cars, which WikiLeaks asserted can be used to carry out “nearly undetectable assassinations.” This isn’t just theoretical: In 2015, a Wired reporter allowed hackers to remotely take over his car while he was driving it. They disabled the engine while he was on a highway.

The world has already begun to adjust to this threat. Many countries are increasingly wary of buying communications equipment from countries they don’t trust. The United States and others are banning large routers from the Chinese company Huawei because we fear that they could be used for eavesdropping and — even worse — disabled remotely in a time of escalating hostilities. In 2019 there was a minor panic over Chinese-made subway cars that could possibly have been modified to eavesdrop on their riders.

It’s not just finished equipment that is under the scanner. More than a decade ago, the U.S. military investigated the security risks of using Chinese parts in its equipment. In 2018, a Bloomberg report revealed U.S. investigators had accused China of modifying computer chips to steal information.

It’s not obvious how to defend against these and similar attacks. Our high-tech supply chains are complex and international. It didn’t raise any red flags to Hezbollah that the group’s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries before being pieced together primarily in China.

That’s a hard problem to fix. We can’t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn’t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.

So what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network — very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack, or how the group will respond.

But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war, or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.

###