{"id":57193,"date":"2024-09-24T13:30:48","date_gmt":"2024-09-24T13:30:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36385\/Israels-Pager-Attacks-and-Supply-Chain-Vulnerabilities.html"},"modified":"2024-09-24T13:30:48","modified_gmt":"2024-09-24T13:30:48","slug":"israels-pager-attacks-and-supply-chain-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/israels-pager-attacks-and-supply-chain-vulnerabilities\/","title":{"rendered":"Israel’s Pager Attacks and Supply Chain Vulnerabilities"},"content":{"rendered":"

Israel\u2019s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.<\/p>\n

Though the deadly operations were stunning, none of the elements used to carry them out were particularly new. The tactics employed by Israel, which has neither confirmed nor denied any role, to hijack an international supply chain and embed plastic explosives in Hezbollah devices have been used for years. What\u2019s new is that Israel put them together in such a devastating and extravagantly public fashion, bringing into stark relief what the future of great power competition will look like\u2014in peacetime, wartime and the ever expanding gray zone<\/a> in between.<\/p>\n

The targets won\u2019t be just terrorists. Our computers are vulnerable, and increasingly so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.<\/p>\n

The core component of the operation, implanting plastic explosives<\/a> in pagers and radios, has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That\u2019s what all of those airport scanners are designed to detect\u2014both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.<\/p>\n

The second component, assassination by personal device, isn\u2019t new, either. Israel used this tactic against a Hamas bomb maker<\/a> in 1996 and a Fatah activist<\/a> in 2000. Both were killed by remotely detonated booby-trapped cellphones.<\/p>\n

The final and more logistically complex piece of Israel\u2019s plan, attacking an international supply chain to compromise equipment at scale, is something that the United States has done, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it not for destructive purposes but for eavesdropping. We know from an Edward Snowden document<\/a> that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn\u2019t the agency\u2019s only operation of this type.<\/p>\n

Creating a front company to fool victims isn\u2019t even a new twist. Israel reportedly created a shell company<\/a> to produce and sell explosive-laden devices to Hezbollah. In 2019 the FBI created a company that sold supposedly secure cellphones to criminals\u2014not to assassinate them but to eavesdrop on and then arrest them<\/a>.<\/p>\n

The bottom line: Our supply chains are vulnerable<\/a>, which means that we are vulnerable. Any individual, country or group that interacts with a high-tech supply chain can subvert the equipment passing through it. It can be subverted to eavesdrop. It can be subverted to degrade or fail on command. And although it\u2019s harder, it can be subverted to kill.<\/p>\n

Personal devices connected to the internet\u2014and countries where they are in high use, such as the United States\u2014are especially at risk. In 2007 the Idaho National Laboratory demonstrated that a cyberattack could cause a high-voltage generator to explode. In 2010 a computer virus believed to have been developed by the United States and Israel destroyed<\/a> centrifuges at an Iranian nuclear facility. A 2017 dump of CIA documents included statements about the possibility of remotely hacking cars, which WikiLeaks asserted could be used to carry out \u201cnearly undetectable assassinations<\/a>.\u201d This isn\u2019t just theoretical: In 2015 a Wired reporter allowed hackers to remotely take over his car<\/a> while he was driving it. They disabled the engine while he was on a highway.<\/p>\n

The world has already begun to adjust to this threat. Many countries are increasingly wary of buying communications equipment from countries they don\u2019t trust. The United States and others are banning<\/a> large routers from the Chinese company Huawei because we fear<\/a> that they could be used for eavesdropping and\u2014even worse\u2014disabled remotely in a time of escalating hostilities. In 2019 there was a minor panic<\/a> over Chinese-made subway cars that could have been modified to eavesdrop<\/a> on their riders.<\/p>\n

It\u2019s not just finished equipment that is under the scanner. More than a decade ago, the US military investigated<\/a> the security risks of using Chinese parts in its equipment. In 2018 a Bloomberg report revealed US investigators had accused China of modifying computer chips<\/a> to steal information.<\/p>\n

It\u2019s not obvious how to defend against these and similar<\/a> attacks. Our high-tech supply chains are complex and international. It didn\u2019t raise any red flags to Hezbollah that the group\u2019s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries<\/a> before being pieced together primarily in China.<\/p>\n

That\u2019s a hard problem to fix. We can\u2019t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn\u2019t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.<\/p>\n

So what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network\u2014very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack and how the group will respond.<\/p>\n

But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.<\/p>\n

This essay originally appeared in The New York Times<\/a>.<\/em><\/p>\n

Tags: cyberterrorism<\/a>, cyberwar<\/a>, Internet of Things<\/a>, supply chain<\/a><\/span> <\/p>\n

Posted on September 24, 2024 at 7:05 AM<\/a> \u2022 0 Comments<\/a> <\/p>\n