Physical attacks through searches and walkie talkies The discovery of the weapons in the hands of Hezbollah members has raised eyebrows and sparked debate in the technology community. First, there was the question of how such a large-scale operation could have been mounted. Now that some time has passed, the question of what this all means for conflict-ridden regions, Western countries that are not in conflict for now, and for the future of the production of connected devices has arisen.
1. How much fear do you have to have?
It depends on where you live. In countries without potential conflict, an operation of this magnitude is unlikely to happen, even on a small scale. Especially since it requires a type of preparation and logistics that allows physical access to thousands of devices with a specific destination.
In countries where a potential adversary has the ability to access thousands of devices, the level of fear can vary. Any connected device can carry some kind of explosive inside that can be activated remotely. This, obviously, involves a lot of ethical and legal debates about civilians in conflict, but technically nothing prevents this new type of “weapon” from being used again. “I understand that in a country in conflict you get paranoid about all devices. It has already happened with those used for communications to avoid the telephone,” says Pedro Peris, professor at the Carlos III University and member of the BBVA Leonardo network. But it can happen with many other devices.
As someone who grew up during war in Beirut, I can tell you the Mideast is a global testing ground for new weaponry. The ramifications of this pager attack in Lebanon should give chills to anyone paying attention.
— Peter Daou (@peterdaou) September 17, 2024
2. What not to be afraid of
Regarding the battery of the device. “It must be made clear that if there is no physical manipulation of the device, what they have done (against Hezbollah) cannot be done,” Peris sums up. “With a battery, no matter how much you overheat it, you are not going to achieve something like that. There is not going to be an attack with the battery, not even directed against a target: although an attack could be carried out where the battery would heat up and cause some damage, it would not be the same and you would realise that it is heating up like hell and you would throw it out the window,” he adds.
Without prior manipulation of the device there is no explosion. Also manipulation of its softwarein order to program or prepare the explosion. To do this, it must be manufactured or intercepted.
3. What has been the biggest surprise?
The supply chain is the process by which different suppliers (or a single one) bring together parts to produce a device. The military sector is well aware that it should not let potential rivals manufacture its radars or weapons.
With the software The opposite is true: we have accepted not to give too much importance to the fact that our devices come with dubious programs pre-installed. “Until now we knew that the supply chain is critical. But all the attacks came in the software”says Peris. “The problem was considered minor because when the supply chain is attacked, software “It’s massive, and we don’t know who it’s going to be used against. They steal data, it’s a problem, but we accept it. Normally, when they steal data on a massive scale, what they do is resell it, typically for advertising,” he adds.
But the attacks on the hardwareas we have seen, have a much more devastating potential scope: they are physical. “It is a problem that was already known but has changed in scale. The supply chain was a problem that we knew about, but we had taken a step forward and had trusted that everything was working well,” he adds. This has changed.
4. On what other devices can it occur?
When thousands of pagers exploded in Lebanon, everyone unconsciously reached for their pockets. What if my mobile phone was also exploited? It is clear that this is not going to happen and that remote attacks without prior manipulation are less damaging.
But what would happen with other devices? “I immediately thought of pacemakers,” says Peris, who has researched this area. The health sector is quite vigilant with pacemakers, insulin pumps and other similar devices. If their security is increased, their battery and operation can be affected. So far, as far as we know, there have been no cases of manipulation to kill someone. There has been a fictional series where this happened, so it is not completely unimaginable, warns Peris.
The attack could be reminiscent of Hezbollah’s, but it would never be the same: “They are not the same. To start with, your target should be wearing a pacemaker and you should know that he is wearing one,” Peris explains. “Then, you have to bypass the security of the device,” he adds.
However, the security of these medical devices is often easily breached. “They do something they shouldn’t: security through obscurity. I give you a device that is a black box and I tell you that it is secure but I don’t tell you how,” explains Peris. “That goes against all the principles of people who work in cybersecurity today: publishing how it works so that everyone tries to break it. And if no one succeeds, then that is a guarantee. But that is not going to happen in these cases.”
There are several academic experiments published in recent years that have shown how to overcome this protection and fry the heart of the hypothetical victim. These systems are connected to help doctors treat problems or modify parameters remotely. But they can have other, riskier purposes: “If you have an arrhythmia, they will give you a shock, but if you have nothing and they give it to you, it can stop. They will hit you in the chest with a ball,” says Peris.
