The Hezbollah Pager Attack: How?

By now I’m sure you’ve heard about the epic, ingenious pager attack that Israel carried out against Hezbollah:

At least nine people were killed and about 2,750 people were injured in Lebanon on Tuesday during the mass explosion of pagers belonging to members of Hezbollah, according to the country’s health ministry.

A Hezbollah official described the event as the “biggest security breach” the group has suffered since the start of the Israel-Gaza war nearly one year ago, according to a Reuters report. The Shiite terror group claimed that lithium batteries inside the pagers apparently detonated.

Some members allegedly felt the pagers “heating up” before abandoning them, according to an unnamed Hezbollah official speaking to the Wall Street Journal. Hezbollah officials have speculated that Israeli malware could be behind the infiltration.

Sky News Arabia, however, quoted sources insisting that Mossad, Israel’s primary intelligence agency, physically planted explosive materials inside the pagers before they were delivered to Lebanon.

According to the Times of Israel, Hezbollah Secretary-General Hassan Nasrallah turned to pagers after he directed members to stop using cell phones in February, fearing they could be tracked by Israeli intelligence. A Lebanese security source claimed the devices were imported five months ago, according to Al Jazeera.

Seven individuals were similarly killed in Syria around Damascus, according to Iran’s IRGC-affiliated Saberin News. This signals a coordinated effort to reach the group in multiple locations across different countries.

Everyone and their dog has posted this story, so I wasn’t going to note it outside the LinkSwarm, except I think some commenters are making erroneous assumptions about how the attack was carried out. I see three possibilities:

  1. The Sky News Arabia suggestion (also floated in this Washington Post article) that the attack was carried out via a supply chain attack planting explosive in each pager, seems clever and has a certain surface plausibility. But I think it very unlikely, mainly because, if you already have that level of access to their communication network hardware, planting explosives is probably the least rewarding attack you could carry out. No, the real play for a supply chain attack is to compromise the security of the devices themselves so you can use Hezbollah’s own devices to spy on their entire communications network. That’s a whole lot more valuable than a handful of deaths and a larger number of maimings. I also find the idea that they intercepted the batteries and loaded them with Pentaerythritol tetranitrate (PETN) even less likely. Just how would these batteries receive the detonate signal if they’re not directly in the circuit to access the antenna to receive the signal?
  2. My guess is that Israel discovered the type of battery and charging firmware Hezbollah’s pagers used, and used a remote exploit to trigger overcharging in the batteries. This also aligns with reports that several Hezbollah terrorists felt the pager getting hot before they exploded. That isn’t the way explosives work, but it is the way Lithium Ion batteries respond to overcharging. Further supporting this hypothesis is that Israel’s previous Stuxnet worm targeting Iran’s nuclear program used a broadly similar attack (a combination software/firmware exploit that caused physical destruction of the targeted system). Such attacks are by no means easy, but dozens of broadly similar hardware hacking exploits are revealed at DEFCON every year.
  3. A third theory I’ve seen proposed by various commenters: Israel was able to explode the pagers because Hezbollah equipped all of them with explosives from the git-go, either to use as improvised explosives or for data security if captured. The first is unlikely because we all know Hezbollah has access to a wide range of explosives to build bombs and IEDs with, and it doesn’t make sense to use something as small as a pager for any significant target. The second strikes me as deeply unlikely from a cost/benefit analysis.

(If someone can think of another theory than those three, let me know in the comments below.)

The heady onrush of the technological revolution has allowed non-state actors like Hezbollah to punch well above their weight by using commercial off-the-shelf technology to strike vulnerable targets (civilians and infrastructure) of larger state actors like Israel. But the downside of not controlling your own supply chain is that a technologically sophisticated state actor like Israel has the knowledge and resources to hack your consumer-grade equipment.

I just read that Hezbollah radios are now exploding as well, so I’m going to go ahead and post this before Israel manages to remote detonate still more of Hezbollah’s tech.

Hezbollah, of course, is talking about launching a full-scale war against Israel. Given the destruction of their communication networks, one wonders how long it will take them to learn semaphore to coordinate attacks…

Tags: , , , , , , , , , ,

30 Responses to “The Hezbollah Pager Attack: How?”

  1. D Liddle says:

    There was some discussion over at Althouse blog yesterday that this was somehow a malware aka stuxnet style cyberattack. Close, but not likely.

    I’m inclined to agree with other comments I’ve seen that it’s possible the plastic cases themselves (or parts of the cases) were explosive themselves. It’s not outside the realm of possibility that a plasticizer matrix and curing procedure hasn’t been found to approximate closely ABS or other commonly mfg plastics.

    The only problem with this I can see is that there appears to be lots of beeper case fragments left over, and I can’t believe that Hezballes doesn’t have bomb sniffing equipment or dogs that would’ve picked up on this. Whatever it was, it’s going to be hard to replicate again. Every scumsucking transnational group of evil doers is at this moment checking all their equipment.

  2. ed in texas says:

    Exploding carrier pidgeons ready to deploy…

  3. BigFire says:

    The latest batch of ‘secure’ pagers was bought in bulk from a Taiwanese manufacture (probably via shell company to hide the real buyer). Mossad apparently infiltrated this supply chain and add a small amount of high explosive between the battery and the pager and also modified the device so they can initiate detonation remotely. It would appear that they did the same thing with the walkie talkie. Even with all of these explosion, they are still using them without inspecting them for tempering.

  4. The other cliff says:

    I’m going with no. 1 with the understanding that the benefit of this attack was not just harming a few people. The extras include identifying their network of operatives and supporting personnel by looking at who got hit and who helped them out. Another benefit is the inevitable self doubt and mole hunt that will follow for years. Let’s not discount the hit to recruiting that will also follow. Dying for a cause is one thing. Getting your nuts blown off is quite another. Now they just need to circulate a rumor that they covered the explosives with pig fat.

  5. MediumSizedNose says:

    They can’t be “overcharged” unless they are connected to a charger. That seems extremely unlikely while walking around with it, unless they are also carrying some kind of portable battery-powered recharger or battery extender. Don’t know of anything small enough to use that way. They might have found a way to >overload< the battery, which would also cause excess heating. No idea if that could actually be done, though.

  6. Greg the Class Traitor says:

    1: I tend to agree that if they could insert explosives into the pagers, they could let them insert an exploit to copy all pages sent / received (and maybe add fake ones?).
    Which then makes me wonder: what could they get from the explosions that would make it worth losing the information source?

    2: Blowing up lots of Hezbollah electronics pushes me more towards the “no, they just did explosives” POV

    3: What I’m waiting for is the strategic payoff. The only one that comes to mind is launching an invasion / getting proxies to attack Hezbollah while they’re disorganized, unable to communicate with each other, and a bunch of their “leadership” are in the hospital

  7. Kirk says:

    This is exactly how you should do this sort of thing. You have to consider not just the initial effects, but the second-, third-, and fourth-order ones.

    Whoever did this just effectively decapitated Hezbollah. They can’t talk, can’t coordinate, and now the only way they can really effectively do any of that is down to landlines and the internet. Which we know the Israelis have already very thoroughly penetrated.

    If the idiots running Hezbollah insist on attacking Israel after this, the whole thing is not going to go very well for them.

    Effective psychological warfare, too… The Arabs already ascribe some really crazy things to the rest of the world, and this is only going to make it worse. “Jew Magic” is a valid thing, in all too many Arab minds. This incident will do a lot to perpetrate that mindset…

    If the Israelis can keep this sort of thing up, then expect a lot longer peace in the region. If I were Iranian, and working in their nuke programs? I’d be looking at things with a very critical eye; if they can somehow infiltrate the supply chain like this, then what else have they managed? How safe are the systems the Iranians are using to launch their bombs and do their command/control over them with?

  8. Andy Markcyst says:

    Wars are won in the will, Greg. But before the will breaks, you break the enemy’s ability to shoot, move, and communicate. I think Israel just put a big hurt on Hamass’s ability to move and communicate.

    ♫Cause 2 out of 3 ain’t bad♫

  9. A. Nonymous says:

    Rumor has it that Hez guys were getting suspicious about how the batteries didn’t last nearly as long as they were supposed to, and it was turning into a now-or-never situation. Again, however, that’s just a rumor.

    As for strategic effects, it should definitely impact Hez’s ability to organize and command its people, and if some strategic RUMINT is dropped on them that causes them to point fingers at each other, it’ll take even longer for them to reconstitute. Beyond that, it’s all speculation; we’ll have to see what each side has planned.

  10. Kirk says:

    Look for stories coming out about how “what really happened here” was something along the lines of the Hezbollah leadership implementing “suicide charges” in the hardware in case any of the users turned out to be less than trustworthy, and that the Israelis simply made use of that “feature”.

    Doesn’t matter if it’s true or not; the idea is to sow the maximum amount of distrust and suspicion. If the opinion among the Hezbollah foot soldiers develops that their bosses did this to them deliberately, not trusting them…? And, the Israelis simply took advantage of it all?

    Yeah, there are going to be a lot of questions about loyalty being raised.

    The other thing that strikes me… OK, they had a second wave of these attacks because the idiots running Hezbollah decided to use the radios and other stuff they bought at around the same time, and maybe even from the same vendor…

    How ‘effing stupid do they have to be, to do that? I can’t wait to learn the details; the low-bid vendor on all this crap was probably some LLC named “Jewboy Electronics”, or something… And, the buyers at Hezbollah got a really, really good deal on the pricing.

    You can really tell that the quality of state sponsorship they’re used to having has gone down. There’s no damn way the KGB or GRU would have allowed something like this on their watch; today’s Iranian Guard handler probably took kickbacks on this deal, and maybe even knew that “Jewboy Electronics” was a Mossad front; all he needed was a big enough payday, and he’d be fine with it.

    Also, big question: Which China provided the hardware? Mainland CCP kind of China, or the Taiwan kind of China? Either way, it’s a big deal because of what it says about the relationship between Israel and either one of them.

  11. Steve White says:

    As some have noted elsewhere, it would be much more valuable, if you have the ability to intercept the pagers and modify them to taste, to set them up to broadcast the wearer’s location. Quite a bit of data collection there, and when combined with other data sources could build quite the map of Hezbollah locations, leadership, meetings, gatherings, and so on.

    It’s the age-old question of whether to use a here-to-fore unsuspected direct capability and thereby reveal it to your adversary, or stick with passive monitoring and collect information.

  12. Lawrence Person says:

    In an episode of The Wire, the police are having a hard time tracking a drug gang because they change burner phones (and thus numbers on wiretap warrants) too often. So they come up with a plan to sell the bangers new burner phones with the number/simcards already on warrants…

  13. Kirk says:

    @Steve White,

    Who is to say that they didn’t do that, and that this attack was either a spoiling attack on them before they attacked Israel, or they picked now to do it because they’d gotten the idea that Hezbollah was on to it?

    Nowhere near enough information is out there, yet. May never be; this is early days, and they’re reporting laptops blowing up, as well.

    My guess is that the sheer overload of suspicion and fear over this is going to have Hezbollah using two cans and a piece of string for quite awhile, as well as avoiding anything like a landline telephone or computer. It’ll all be runners and notes being passed…

  14. 10x25mm says:

    PETN is unique among main charge explosives in that it can be detonated with only a very modest spark, maybe 25 mJ. No primer charge is necessary. The heating of the pagers noted was most likely the seconds long spark detonation process. Some surface ignition occurs before detonation.

    PETN is wax plasticized and rolled into thin sheets called “Primersheet”. These sheets can be quite thin and substituted for paper and card stock, even colored and inked. It can be substituted for battery packaging by a sophisticated manufacturing operation.

  15. Howard says:

    As usual, Bruce Schneier has a useful post with some of the best sources, as well as insightful commentary:

    https://www.schneier.com/blog/archives/2024/09/remotely-exploding-pagers.html

  16. Howard says:

    @Kirk

    … the low-bid vendor on all this crap was probably some LLC named “Jewboy Electronics”, or something… And, the buyers at Hezbollah got a really, really good deal on the pricing …

    Unconfirmed, but according to this rumor you’re right! B&H Photo?!

    https://goachronicle.com/hezbollah-members-pagers-exploded-in-coordinated-attack-israel-suspected-of-hacking/

    GoaChronicle through its intelligence network has learned that Israeli intelligence successfully intercepted a shipment of pager batteries that had been ordered from B&H Photo. The order was placed from Lebanon. Acting on a confirmed tip, the intelligence agency seized the shipment and covertly modified the batteries. Small, undetectable explosives known as Kiska 3 were inserted into the battery casings and connected to the battery wires via a discreet chip. The pager model was Rugged Pager AR924 IP67. The operation code word was ‘Below the Belt’.

  17. R C Dean says:

    People more knowledgeable than I have noted that lithium ion batteries don’t go boom – they overheat, outgas, and ignite.

    These pagers were apparently in use for months – plenty of time for Israel to harvest intel from them, then disrupt and demoralize Hez by blowing them up. Apparently, there was a series of air raids in Lebanon the night after the pagers blew.

  18. Greg the Class Traitor says:

    hotair.com/headlines/2024/09/18/hungary-hezbollahs-pagers-were-never-here-n3794672

    Taiwanese pager firm Gold Apollo said on Wednesday the model of pagers used in the attack against Hezbollah were made by Budapest-based BAC Consulting, , adding it had only licensed its brand to the company and was not involved in the production of the devices.

    Hungarian authorities have established that the company in question is a trading-intermediary company, which has no manufacturing or other site of operation in Hungary,” government spokesman Zoltan Kovacs said on Facebook.

    Note, children: Do not buy electronics from China

  19. M. Rad. says:

    Clearly was a supply chain attack. Lithium batteries burn like literal Hell but don’t explode in the way these pagers did. The Mossad likely intercepted an unusual order for pagers as it passed through distribution, not enough time to bug them with transmitters, which would require an extensive circuit re-design for a device with no existing transmitter, and may not have fit into the case anyhow, They did have enough time to insert a ‘splodey battery (which is old hat for Israel by now) and reflash the firmware. The circuit board would need a jumper wire hand-soldered from a GPIO pin to the go-boom detonator input, and that might tip off the first repairman who cracks one open for service. Even if they managed to bug the things, a rational actor will set-us-up-the-bomb before the ruse is discovered.

  20. vittlez says:

    Today has reports of walkie-talkies exploding. Going after enemy communications, especially multiple fallback forms? Conclusion: war, soon

  21. Kirk says:

    That one little detail just makes me go “The Fuuuuck?????

    B&H Photo was the supplier for the batteries? Really? Just how stupid is Hezbollah’s supply staff, and how did any of them think that was even remotely a good vendor to use? B&H Photo is run by a bunch of what even other Jews regard as stereotypical New York City Jews, and you will hear well-meaning advice from many that “You should be very careful doing business with those guys” from Jews out in the hinterlands where I live. Other Jews think the folks at B&H Photo are a little skeezy, and Hezbollah thought they’d use them as a supplier? WTF? Seriously, WTF?

    The deal must have been drop-dead amazing, but I’ll bet they managed to make them pay a premium price for those batteries, telling them they were the extended-life high-power versions…

    Swear to God, if this is true? It’s one for the ages. As in, ain’t nobody gonna believe that crap, if you wrote it into a novel. It’d never sell; too implausible.

    I have to take my hat off to the Mossad. They seem to be getting their crap back together again.

    Dumbest goddamn thing in the history of the world was the Arabs deciding not to embrace their Semitic brothers coming home from the Diaspora. Had they made good allies of them? Coupled with the resources they had? The Arabs and the Jews would be running the Middle East together in harmony, be incredibly wealthy, and likely be on their way to actually dominating a large part of the planet. Instead? They were stupid, and chose very poorly.

  22. Hairless Joe says:

    FWIW I’ve dealt with B&H Photo for years and even visited their store in NYC a couple of times. I never found them in the least bit sleazy. They have a good reputation among photographic enthusiasts as a dependable vendor.

    I’m sure if your money is good, and it’s not illegal, they’ll sell to anybody, which is what we expect merchants to do. The story seems far-fetched to me, but leave it to an Arab to buy parts from a high-profile supplier in New Your City run by Orthodox guys (not just the store, they shut down online ordering on Friday afternoons for pete’s sake).

  23. Howard says:

    @Kirk

    I’m with you. Sounds too insane to be true. I’ll assume it’s not true, but laugh at the possibility.

  24. Steve White says:

    @ Kirk: in the photography / videography world B&H is considered a trusted vendor. I’ve purchases lots of gear from them (no pagers) and am very happy. Plenty of photography-oriented web sites praise them — B&H, Adorama, and Crutchfield are considered the go-to places for expensive gear (and stay the hell away from Amazon if you’re buying a $4K camera).

    So when I saw that the Hezbies were buying batteries from B&H, I snickered and said to myself, “of course! You always buy from the best!”

  25. 10x25mm says:

    The pagers and walkie talkies were entirely manufactured in Israel under IDF supervision. B&H played no role.

    PETN sheet was used to encapsulate the lithium batteries and was command detonated by spark.

  26. Andy Markcyst says:

    If the stories are true about a massive net of IDF/Mossad controlled shell companies producing and distributing the pagers in toto, then it lends massive support to the old phrase that “fortune favors the bold”. Bold. Very bold.

  27. John says:

    @Kirk,

    Regarding the two cans and a string fallback for Hezbollah, word is Mossad has already swapped out the string with det cord.

  28. BigFire says:

    re: Andy Markcyst

    Fortunate also favorite the prepared.

  29. […] Attacking so fast they won't know what hit them… « The Hezbollah Pager Attack: How? […]

  30. Kirk says:

    Current “conventional wisdom” on this story is that B&H Photo had nothing to do with the whole thing, but that is a seriously amusing idea that they might have had involvement…

    Dunno about other people’s experience with B&H Photo over the years, but I’ve personally had the experience of getting what was almost certainly a customer return sold to me by them “as new”, and then having to spend hours with them on the phone trying to straighten it out. Friend of mine who is Jewish heard me discussing the joys of the situation, and then he’s like “What did you expect? New York Jews…”, then included an epithet in Hebrew for “Hasidic”.

    Your mileage may vary, I dunno. I honestly didn’t think they were Jewish-owned and operated until my friend told me.

    That said, the story behind this series of events appears to be growing more complex and far more confusing than previously. It’s starting to look like a multi-stage process, one that the Mossad effectively herded the Hezbollah leadership into. First stage was getting them to mistrust the existing network of smart phones, which then necessitated them procuring something else entirely, which the nice Mossad agents helpfully provided by the pallet load.

    If nothing else, this is an object lesson in why centralized anything in this day and age is vulnerable to interference and sabotage. You’re screwed when you open yourself up to it all, and equally screwed if you don’t, because your enemies are going to leverage their use of this stuff as key enablers in beating your ass into the ground.

    Frankly, I suspect that there’s going to be a rule of thumb, going forward: If your nation/society/people are significantly less “smart” than your opponents, you can count on losing the war, no matter how militaristic you might be.

    An effect of this would be demonstrated by what just happened in Russia at that ammunition storage point. Biggest, most modern ammo supply facility built in Russia (coincidentally, right where it could best support war in Ukraine…) gets blown to shit because… Wait for it… The usual poor Russian low-level discipline issues and cutting corners.

    Ammunition supply points in the West typically don’t go all high-order the way Soviet-era ones are wont to do. Why? Because we have actual safety standards that get enforced.

    This thing going “Boom” is a by-product of all the manpower required in the supply chain the Russian Federation inherited from the Soviet Union. No MHE means that at every step along the way, you have to have a lot more people handling the munitions, which also means that “more people” being “people of limited training/experience”.

    Average yokel doesn’t think too much about “risk” when it comes to ammo storage. You have idiots doing stupid stuff, all the damn time, in the US military… Storing initiators and fuses together with explosives, insufficient separation, piss-poor field discipline for ammo storage, whole nine yards. In the Russian system? LOL… Exponentially worse.

    I’ll guarantee you that there is only one damn way that those “drone fragments” did this: They had literal tons of munitions stored out in the open, and likely with no regard to things like separating fuses from the rounds. Storage igloos aren’t going to blow up if burning debris fall on them; you have to hit them with something that’s got a penetrator on it, like a glide bomb or an actual missile that’s purpose-designed for the attack. The only way you blow up a whole ‘effing facility like this is if you’ve got really shitty discipline out where the rubber meets the road… Guys who’re not putting the munitions into the storage igloos, or who are storing things haphazardly. You also have the usual frictions of military life, like unexpected shipments showing up, and getting left out because you don’t have enough manpower or MHE on hand to get it under cover.

    This was allowed to happen through poor practice/discipline. The guys who did it? Likely dead. You don’t survive being in an ammo storage facility that goes “BOOM” like that, at least not unless you’re incredibly lucky.

    The other thing operating here is the also-inherited Soviet bias towards “function” in their munitions design. EOD guys hate working Soviet ordnance, because it ain’t safe; the explosive fillers are things like picric acid (prone to degradation into some very shock-sensitive compounds), and the fusing systems are usually not all that “safe”. Classic example: Soviet 30mm grenades did not have rotational safety systems in the fuses; they were impact fuses with zero real safety features, because if they had them, that raised the dud rate too high. US 40mm grenades all have a rotational safety built in: They can’t go bang until inertia and rotation have turned the clockwork inside sufficiently so as to enable the firing pin. You can’t set one off until that’s been done, so… Safe. Soviet stuff? Too expensive; quality control was lacking, so they didn’t bother with those “excessive” safety systems.

    Which factors also go into why their ammo dumps tend to go “BOOM” a lot. Do a search on the subject, and you’ll find them all over the place, going back to the 1980s… Which was also the period when a lot of their old ammo had started to degrade in storage.

    When the West German government got into the storage facilities in the old East Germany, they thought they’d walked into a nightmare. Where they thought that they’d be able to sell most of the stock they’d inherited, what they actually discovered was that the vast majority of it was too unsafe to even allow onto the roads. They wound up demilling the majority of it on-site…

    This, I must point out, was the same West German government that said it was A-OK for the US to haul out its old stocks of chemical munitions to destroy in the US… Hauled around on those same German railways and highways. Think about that for a second or two… They did the risk assessments, and determined that ancient stocks of US chemical weapons were safe to haul, and normal Soviet conventional munitions weren’t.

    That fact alone speaks volumes.

Leave a Reply