Post Am9GfFp2WS9MzA8Hzs by mattblaze@federate.social
(DIR) More posts by mattblaze@federate.social
(DIR) Post #Am7JmpoP1UMgBADlrM by mattblaze@federate.social
2024-09-17T23:44:18Z
0 likes, 0 repeats
Current reporting from NYT and others (gift link: https://www.nytimes.com/live/2024/09/17/world/israel-hamas-war-news?unlocked_article_code=1.LU4.yQNN.lrxL0ef79K2O&smid=url-share) essentially confirms the speculation: Supply chain tampering with a new batch of 3000 pagers from Taiwan ordered by Hezbollah, involving adding 2oz of explosive material near the battery. Reports of 2800 injured, implying that essentially all of them went off, apparently nearly simultaneously, suggesting this was not targeting particular individuals (just anyone with a pager in the batch). At least nine deaths so far.
(DIR) Post #Am7JmqjpZyIn3H5dNA by mattblaze@federate.social
2024-09-17T23:50:10Z
0 likes, 0 repeats
... The pagers apparently were programmed to beep and then display a message ostensibly from Hezbollah leadership, and then explode, behavior that would encourage users to be in close proximity to the device as it exploded....
(DIR) Post #Am7Jmrb0OGpviBy6Fs by mattblaze@federate.social
2024-09-17T23:53:44Z
0 likes, 0 repeats
Unclear from reporting how they were triggered. Some possibilities include:- completely offline (all the compromised pagers were pre-programmed to beep and explode at a particular time)- a broadcast signal (possibly sent by a high power transmitter controlled by Israel) that all the devices were programed to respond to- individually addressed messages to each of the pagers (less likely, since that would take a while to go through).My guess is the first.
(DIR) Post #Am7JmsA6HmuRT2O7xQ by mattblaze@federate.social
2024-09-18T00:04:37Z
0 likes, 0 repeats
... The disadvantage (to the attacker) of offline pre-scheduled triggering is that it becomes essentially impossible to scrub or reschedule the attack if something goes wrong or there's reason for delay. So I wouldn't rule out a broadcast signal entirely. Assuming some of the devices survived (duds, etc), I'd imagine there's a lot of reverse-engineering being attempted right now.
(DIR) Post #Am7JmsdsV4jExOJuN6 by EricFielding@mastodon.social
2024-09-18T00:11:58Z
0 likes, 0 repeats
@mattblaze The NYT article says the explosions were triggered by a message but it doesn’t say why they concluded that.
(DIR) Post #Am7JmtFoE34Or24CUi by mattblaze@federate.social
2024-09-18T00:13:59Z
0 likes, 0 repeats
@EricFielding Very unclear. It says "the pagers received a message..." but it seems to be actually describing merely the pagers *displaying* a message.
(DIR) Post #Am7Jmtc8t0vzyIW2Iy by mattblaze@federate.social
2024-09-18T00:13:16Z
0 likes, 0 repeats
Notably, the NYT reporting isn't hedging even slightly on identifying Israel as the source of the attack, though does note that they haven't officially commented.
(DIR) Post #Am7Jmttrp772rGoBvs by tomjennings@tldr.nettime.org
2024-09-18T04:48:16Z
0 likes, 0 repeats
@mattblaze @EricFielding Not hard to imagine an SMS message payload that actuates a special output pin inside the device, a diagnostic led, "advanced feature", alternate brightness, any addressable pin or function typically unused. I'd even say this kind of path is most likely.
(DIR) Post #Am7Jmv6JMKf2a9ddy4 by mattblaze@federate.social
2024-09-18T00:20:16Z
0 likes, 0 repeats
As I've noted elsewhere, one-way pagers (at least the kind that don't explode) are actually a pretty good way for a covert organization to communicate with its members. Unlike cellphones, which are constantly registering with a local tower, pagers don't expose the locations of recipients to the infrastructure or to eavesdroppers. They work by "flooding" - broadcasting all messages over the entire service area, leaving it to the devices to filter out the messages addressed to them.
(DIR) Post #Am7JmwhZPI3hY04ugK by mattblaze@federate.social
2024-09-18T01:22:41Z
0 likes, 0 repeats
Another note: a supply chain compromise is a very powerful capability, and by using it this way they effectively completely burned it, foreclosing the possibility of future exploitation. Hezbollah (and anyone else who considers Israel an adversary) is going to be *very* careful about how it sources its gear for the foreseeable future. (What else might you do if you could control comms gear of your adversary?) This was likely VERY carefully considered, likely at the highest levels of government.
(DIR) Post #Am7LRgOL3JcMn04V5E by tsturm@famichiki.jp
2024-09-18T05:06:50Z
0 likes, 0 repeats
@tomjennings @mattblaze @EricFielding …or just show something like all “8” across the display and trigger on that.
(DIR) Post #Am7gXIulLn7Mkel9Em by liaizon@social.wake.st
2024-09-18T09:03:10Z
0 likes, 0 repeats
@tomjennings @mattblaze @EricFielding I dont think the pagers were operating on cell network tho. if you look at the product page for ar-924 it has shows what communication standards it uses.
(DIR) Post #Am9GfBW6WucvdHF6vY by mattblaze@federate.social
2024-09-18T18:43:43Z
0 likes, 0 repeats
The plot continues to thicken, with another wave of exploding devices reported among Hezbollah members around Lebanon today. This time, it appears to include walkie-talkie-type radios. I've not yet found reliable reports of specific models of radios, so it's hard to even speculate yet on how these might have been triggered - possibly over the air, but also possibly with a pre-set timer.What's clear is that Hezbollah's supply chain problem is even worse than it seemed yesterday.
(DIR) Post #Am9GfCJ1b1l6508BBA by mattblaze@federate.social
2024-09-18T20:27:14Z
0 likes, 0 repeats
Note that there are obviously a large number of moral, ethical, and legal questions about this whole operation. I'm focused on the technical, strategic, and logistical issues in this thread, which should not be taken to suggest in any way that I don't think those questions are important or worth probing. It's just not what I'm exploring here.
(DIR) Post #Am9GfD9qQe0eioqMVc by mattblaze@federate.social
2024-09-18T20:39:30Z
0 likes, 0 repeats
On the latest round of explosions, so far I've found a couple photos of a mangled Icom model V82 walkie-talkie, a discontinued (but still widely available around the world in counterfeited form) commercial analog two-way radio.But it's unclear if that's the only type of device that exploded today, and it's also possible that the various photos I've seen are all of the same individual radio. Still haven't seen good authoritative reports of the scope and scale of todays wave of explosions.
(DIR) Post #Am9GfDcugZGIAyRZom by mattblaze@federate.social
2024-09-18T20:49:05Z
0 likes, 0 repeats
At this point, everyone in Lebanon and Hezbollah has to be wondering what's going to be exploding tomorrow.
(DIR) Post #Am9GfEDQUoT80DWjjM by mattblaze@federate.social
2024-09-18T21:11:30Z
0 likes, 0 repeats
So I've now seen video and stills of several different exploded radios. All appear to be Icom V82s (or something that looks similar). In all but one case, the battery was missing, and the damage to the radio itself was relatively small, adding credence to the hypothesis that the explosion came from the battery pack. I believe the battery form factor is common to a number of Icom models, including the current ones. So possibly what was compromised was a shipment of replacement batteries.
(DIR) Post #Am9GfF4bJ70Gf8PCc4 by mattblaze@federate.social
2024-09-18T21:17:58Z
0 likes, 0 repeats
Walkie-talkie radios differ from pagers in several relevant ways here. First, they're larger, and so have room to hide more explosive material; some of the images I've seen show damaged buildings, suggesting larger explosions than we saw with the pagers.Second, walkie-talkies aren't generally carried around all the time the way pagers are. They typically spend a lot of time off and sitting in a charger, possibly near other radios. This is also consistent with the images of damaged buildings.
(DIR) Post #Am9GfFp2WS9MzA8Hzs by mattblaze@federate.social
2024-09-18T21:25:19Z
0 likes, 0 repeats
Icom may not be a household name (well, it is in my household, but I'm a nerd). They're a major manufacturer of two-way and related radio gear for commercial, industrial, public safety, marine, aviation, and amateur markets, based in Japan and marketed around the world. The V82 radio that was apparently exploding is an older, discontinued model, but counterfeit versions of it from various Chinese sources are widely available.
(DIR) Post #Am9GfGHOp0pqP7OwCW by mattblaze@federate.social
2024-09-18T21:36:14Z
0 likes, 0 repeats
In any case, the V82 battery does not have a data connection to the host radio, so that means that (assuming it was the battery pack that exploded) any triggering mechanism was likely self-contained in the battery pack and did not make use of the communications capability of the radio itself. That would mean it was trigged by either an offline timer or a separate receiver/antenna inside the battery pack. If the latter, it would have to be in range of a signal sent by the attacker.
(DIR) Post #Am9GfGscacbqGYofDc by mattblaze@federate.social
2024-09-18T23:10:18Z
0 likes, 0 repeats
Current reporting says at least 20 deaths and 450 injuries from today’s walkie-talkie explosions (this is on top of yesterday’s pagers). The pagers seem to have injured (roughly) a single individual each. The apparently more powerful explosions from the walkie-talkies may have each claimed more victims. So it’s less clear from this how many compromised devices were actually involved today.
(DIR) Post #Am9GfHXk7jVEK63VJY by mattblaze@federate.social
2024-09-18T23:14:39Z
0 likes, 0 repeats
Notably, yesterday the fact that Hezbollah had recently ordered and received a large number of pagers was immediately reported. There doesn’t seem to be any similar information coming out yet about new radios (or radio battery packs). This might be simply because sources are drying up or haven’t yet spoken, or it might be that today’s attack didn’t exploit Hezbollah’s supply chain in the same way the pager attack did.
(DIR) Post #Am9GfI9Js1YoCddVsu by mattblaze@federate.social
2024-09-18T23:52:23Z
0 likes, 0 repeats
Important caveats on all this: there’s a lot we don’t know, and much of what we assume we know may be mistakenly or deliberately misleading. In particular, as far as I know, no one has yet reverse engineered or forensically examined (or publicly reported the result of any such investigation) any surviving pagers or radios, which would be very helpful in confirming a lot of these assumptions.
(DIR) Post #Am9GfIgzqoUzt5OPNQ by mattblaze@federate.social
2024-09-19T02:42:03Z
0 likes, 0 repeats
Some new details reported in this NYT article (gift link: https://www.nytimes.com/2024/09/18/world/middleeast/israel-exploding-pagers-hezbollah.html?unlocked_article_code=1.L04.bSZU.vUhf54b0cGP_&smid=url-share)This fills in some gaps, assuming it's accurate (caveat here, given anonymous, presumably motivated sources):- The pagers were manufactured by a Hungary-based Israeli shell company and used a special battery containing PETN.- The explosions were trigged in real time, but no details about the specific triggering mechanism.- No details about how the exploding walkie-talkies worked or how they were inserted.
(DIR) Post #Am9GfJIZb6YZlcyPwm by tomjennings@tldr.nettime.org
2024-09-19T03:22:40Z
0 likes, 0 repeats
@mattblaze TSA will likely institute some new, arbitrary, and ineffective, security theatre for us in an airport near you.
(DIR) Post #Am9GfKLRhuRt0pKE40 by mattblaze@federate.social
2024-09-19T02:45:08Z
0 likes, 0 repeats
... So we know a lot more about the pagers at this point than the exploding walkie-talkies, which appear to have made their way into Hezbollah's hands through a different channel than the pagers. Unclear whether the radios even involved a supply chain compromise, as opposed to, e.g, an insider mole swapping out radios and/or batteries.
(DIR) Post #Am9GfLeyolfV5hTL9M by mattblaze@federate.social
2024-09-19T03:07:40Z
0 likes, 0 repeats
Hezbollah's scale works against them here. The problem with the pagers was they needed to buy so many of them (3000!) that it was effectively impossible to source them quietly and anonymously within the local economy. Instead, they had to act like a bureaucracy, putting out solicitations and ordering in bulk from suppliers. This exposed them. The seller (Israel) was able to react, attract their business, and deliver rigged devices as part of what appeared to be a normal business transaction.
(DIR) Post #Am9GfN0Hp2J1G4Rs00 by mattblaze@federate.social
2024-09-19T03:09:29Z
0 likes, 0 repeats
But again, none of this was necessarily how the exploding walkie-talkies were delivered. We don't know much of anything about that yet.
(DIR) Post #Am9GfOg9arOESD2otc by mattblaze@federate.social
2024-09-19T03:21:42Z
0 likes, 0 repeats
Also notable: While Israel isn't saying anything publicly, it apparently did brief the US government on at least the pager operation, and US intelligence officials are "leaking" those details with the press. I don't think for a moment that those "leaks" are unauthorized or causing Israel any particular heartache. It's likely in their interests to have everyone know they were behind this, but also to stop short of admitting it.
(DIR) Post #Am9GjdpTCu70bGQTQm by mattblaze@federate.social
2024-09-19T03:23:31Z
0 likes, 0 repeats
@tomjennings Absolutely no Hungarian pagers allowed past the checkpoint!
(DIR) Post #Am9wbi9vQ9iFmrtXbk by SteveBellovin@mastodon.lawprofs.org
2024-09-18T00:03:15Z
0 likes, 0 repeats
@mattblaze I don't think so—the desirability of triggering it would depend on on the geopolitical situation, how many pagers had been handed out, etc. But I think that there are pager groups—the only time I carried one, it was for messages to all members of the Medical Aid Squad at Bell Labs Murray Hill—and you sent pages by calling a particular number. (These days, with text pages, it's probably a web service.) Any bets on Israel not knowing the login/password/group id? Not from me…