Cybersecurity in Plain English: Exploding… Pagers?

Editors Note: This is a developing story, and little is known about the facts surrounding the events except that they happened. The article will be updated when more information is published (if that happens). Please remember that, as with any rapidly developing story, the truth of these events may not be known for quite some time. The editor would also like to thank @SchizoDuckie and @UK_Daniel_Card for their rational and technical support in keeping the author from getting derailed and wandering into spy thriller territory.

Update: October 16, 2024 – Reuters has posted a story detailing the results of an investigation around the pager devices.  This story contains details received from unnamed sources which highlight how the devices were given an online backstory, and – while not being able to discover exactly where they were manufactured – does detail what that manufacture looked like structurally.  This post has also been updated with some date corrections. 

Update: September 18  2024 – Multiple news outlets including NPR and CNN are citing a US Official in stating that Israel has claimed responsibility for the pager explosions. 

Update 2: September 18, 2004 – Both the Tiwanese first-party manufacturer and holder of the trademark branding for the pagers and the Hungarian 3rd-party manufucaturing company that licensed that trademark are denying that they manufactured or sold the pagers to Hezbolla. We may have to wait a significant amount of time for investigations to sort out the truth of where these devices came from.

Update 3: September 18, 2024 – An additonal wave of explosions, this time involving two-way radio devices and (possibly) solar devices has occured in Lebanon.  While no one has claimed responsibility yet, it stands to reason that this was a second-strike by the same group that detonated the pagers yesterday, presumably Israel.

Update 4: September 18, 2024 – The Guardian (a UK-based News Agency) has posted a story with more detail on how this may have happened. 

Original Post:

It would seem that there are quite a few things happening these last few months that create an immediate need for an explanation in plain english. Today has continued the trend, as I got bombarded by people asking “What happened in Lebanon with the exploding pagers?” Let’s dive into this topic, and hopefully I can offer some reassurance that a world-wide panic is not needed at this time.Noun warning 4241030 FF001C.

Please note, while I have had training in some forms of chemistry in college, I am NOT an explosives or demolitions expert. The details I provide here were gleaned from hastily-performed research on the subject. This is also a longer article than usual, because the topic is complex and full of twists and turns; so breaking it down into plain english is going to require a lot of words.

TL;DR version: No, your phone is not going to explode unless there was a defect in manufacturing, and even those are rare. What happened was not a cyber attack, but rather an act of war that included a digital transmission component. The devices were built to *be* bombs, not converted into bombs by some kind of software magic. Read on for details.

First, some background. On September 17th, thousands of pagers (those old-school devices that let someone send you a phone number or short text string to let you know to call them back) detonated in dozens of locations throughout Lebanon. All of the pagers (as of this moment) were being carried by members of the group Hezbollah, an extremist group which has carried out numerous terrorist plots and attacks over the last several decades. This link to the New York Times coverage of the event is paywalled for many, but one of the better sources of news and information on this particular situation: https://www.nytimes.com/live/2024/09/17/world/israel-hamas-war-news

While no one has yet declared responsibility for the attack, it is likely that this action was carried out by Israel as part of their ongoing conflict in the region. This is one of many points of fact that are not confirmed yet, so it is only a suspicion at this time. Considering the last operation of this scale that Israel was involved in (Stuxnet) went un-declared for 30 years, we may not know for a very long time at that. 

This leads to the inevitable question, “Can a pager (or any other mobile device) that I’m wearing or carrying become a bomb?”

The answer is a bit complex, but the short form is “not unless there was a defect in manufacturing,” and also that it is highly unlikely that today’s events were anywhere near that straight-forward. Rather, it is much more likely the exact opposite – that bombs were fashioned into mobile devices instead of mobile devices being turned into bombs themselves. Let me walk you through that.

The definition of a bomb is simply a massive amount of energy (usually in the form of heat and/or pressure) suddenly being created but trapped inside of an enclosed space. Eventually the heat and pressure exceed the ability of whatever space is containing it, and the result is a rapid dispersal of the heat, pressure, and whatever the container was made of into the immediate surrounding environment; i.e. it explodes. In this case, something caused the pagers – made of plastic with circuit boards, a battery, a small screen, and a few other components – to become the container for all the energy. When the container couldn’t hold back the energy anymore, it exploded; seriously injuring anyone nearby – including whoever was wearing the pager or had it in their pocket at the time.   

Such an explosion could be caused by many different substances. We’ve seen lithium-ion batteries explode before – https://www.cnn.com/2023/03/09/tech/lithium-ion-battery-fires/index.html – but they generally convert themselves to heat more slowly, causing very hot fires but not what we saw in the videos coming out of Lebanon today. On the other side of the equation, there are many compounds that do not take a large amount of space or weight to create significant explosions. I won’t list them out here, but a quick google search will bring them up if you don’t mind that info being in your browser history.

It is also critical to point out that these were not pagers that you could buy from a local electronics store. These were encrypted devices designed to facilitate communications between members of a known terrorist organization (using the US and UK designation for Hezbollah). Therefore, they had to either have been built for that purpose, or heavily modified to suit that purpose. This becomes vitally important later in this article. 

So, what do we know as of this moment? Two things. First, that specialized pager devices which were being worn and/or carried by thousands of Hezbollah members exploded nearly simultaneously throughout Lebanon. Second, that it is unlikely to have been caused by the batteries or internal electronics of the devices themselves due to the explosions being very different from a standard lithium-ion battery fire. 

That can lead us to a set of conclusions, but this is pending additional information which may – or may not – come out later:

It is likely that an external group – potentially the Israeli security organization Mossad – managed to replace the pagers the Hezbollah members were expecting to get with devices that had been altered to include an explosive charge and a detonation system. Alternately, as noted by Reddit user UrsusArctus – https://www.reddit.com/user/UrsusArctus/ – the pagers may have been built with the capability to be remotely destroyed if they were to be lost or stolen as a Hezbollah security measure. This last scenario is less likely because Hezbollah has not been well-known to maintain such a level of Operational Security (OpSec), but it is possible and should be considered. 

This leaves us with pagers that contain an explosive charge on purpose (put there by either an external group or by Hezbollah themselves), and some way to trigger that charge to go off on-command. In scenario one, whoever diverted and altered the pagers would have built in the ability to trigger the explosion by sending a specific code to the device or through some other remote activation. In the scenario where the devices already had a self-destruct function, a security agency (i.e. spy group) could have found the sequence of codes or other operations which would trigger such a function. On-command, all of the pagers received the code to detonate, and the result is what we saw today.

What does this mean to everyone who is not a Hezbollah agent carrying a pager? Can this be done to a regular mobile phone? A laptop? My doorbell?! – in short, it’s insanely unlikely unless you’re being targeted by a state-sponsored espionage agency, and even then there is very little chance. In cybersecurity, we don’t like using terms like “never,” but this is as close to never as you’re going to get.  

The level of coordination and secrecy necessary to pull off either of the two scenarios (replacing the pagers or infiltrating the self-destruct system) is so massive that we almost never see anyone pull off this kind of attack. It has happened for espionage purposes – see https://www.securityweek.com/chinese-gov-hackers-caught-hiding-in-cisco-router-firmware/ – but it is just absolutely rare as to be close to non-existent, and certainly insanely rare for acts of war like we saw today. While it is true that Mossad has rigged exploding mobile phones in the past, each incident was one phone, given to one target by a spy or through some other means – never anything at this massive of a scale. 

Remember that in the first scenario, you must have infiltrated and compromised the supply chain for the devices – a supply chain that routinely deals with a terrorist organization who is likely to retaliate with extreme prejudice. This would require that you basically control everything about the supply chain to an extent that no one who is part of the manufacturer or the other suppliers knows you are there, because they will certainly call you out to the bad guys if they figure out you are there.

In the second case, you would have to have had operatives in place within the terrorist group itself long enough for them to acquire access to the self-destruct systems. This is much more possible with really good spies, but still not something that your average threat actor could pull off with any level of success. Also of note, your devices would have to be rigged to explode in the first place, which I can safely assume no one reading this article has built into their iPhone. 

In both cases, it would only be possible to carry out this kind of attack because the devices were specifically built for use by the group that was targeted. These devices worked on an encrypted network, and therefore would have to be purpose-built or modified to function on that network. This allowed whoever carried out the attack to specifically target hardware and users to an incredibly precise degree. Trying to do this with commodity devices like Android phones would make it impossible to ensure that you attack those people you’re looking to attack, and them alone. Using off-the-shelf commercial devices like this also means there is a significantly higher – almost guaranteed – chance that the alterations are discovered before you can put your plan into action. So it isn’t the kind of thing that you’d see being done unless it was directly, highly, and explicitly targeted.

This is also something that can only be done once. That’s it. Now, everyone who uses covert mobile devices is going to be looking to make sure that they haven’t been tampered with; and those with self-destruct systems will disable them until they can re-secure the control systems. 

Finally, there’s no profit in this. Remember that cyber threat actors are typically in this to make money through extortion and/or resale of the data they steal. Blowing up someone’s phone doesn’t aid that goal in any way, since the device and its data are now gone. Not to mention the massive law-enforcement reaction because you either could have or actually did injure and possibly kill people. Even for hacktivists, detonation of a target will not gain them any ground, and will probably cause them to lose quite a lot instead. 

Taken together, this indicates that the attack was a state-motivated and state-sponsored act of war, and not a cybersecurity incident. Technically, it involved a cyber aspect – the devices were remotely detonated through some form of digital connectivity – but would not be classified as a cyber attack itself. This is not something that you are going to see happening frequently, and certainly not something that we’re likely to see be used as part of a cyber attack in the traditional sense. It’s also extremely unlikely that the devices were turned into bombs with just the components that would normally be part of the pager/phone/whatever. Either the devices were substituted for ones that contained an explosive charge, or the devices were built to have a self-destruct feature; they were built to be bombs, they didn’t become bombs through some technological trickery. 

So, for 99% of us, there is no real likelihood that our phones will explode without warning. Or, at least no more of a likelihood than already exists due to accidental manufacturing issues – https://www.wired.com/2017/01/why-the-samsung-galaxy-note-7-kept-exploding/ . Instead, we should maintain focus on actual cyber threats. It is far more likely that you will fall victim to a phishing or text scam, accidentally download and run malware, or do a hundred other things that do not involve explosions at all, but still cause significant damage to your personal digital systems and/or company.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.