Good point. And, the girls dig it.
I saw one explode in a guy’s pocket. I would think a five second timer would work to get the user’s face. I presume the child killed picked up Daddy’s pager when it beeped.
But that’s very significant. It’s one thing to slip a single modified pager into a shipment. You can get some skilled technician to do the work overnight and then probably have a single person on the inside (who can carry it in their pocket). But hundreds or thousands at once? That makes for a vastly more complicated operation. You’d need a team of people to manufacture the modified pagers and swap an entire pallet of them. It would call for a limited production run of the unit, not just a one-off prototype. And of course there are a bunch of details to take care of, like the boxes and serial numbers.
There could not have been that much time between finding out about the order and the actual supply chain injection. Maybe they already knew the model of pager that Hezbollah preferred and modified them in advance, but that takes a fair amount of foresight and means taking a risk on an operation that may never happen. And quite possibly there were multiple models and Israel had to build modified versions of each type, just in case.
And if they had to perform a just-in-time operation–maybe because the serial numbers were known in advance, or the encryption keys were pre-programmed or the like–then it becomes even more difficult, and you’d need hundreds of people to perform the modifications, since it’s going to be a bit suspicious if the shipment hangs out at some facility for a month or two.
Seems very doable for Israel. Buy a few pallets of a given pager using some front company.
Modify the pagers with a team of a dozen people who could probably get through a thousand in a week.
Re-package and then slip the pallet in to a shipment going to Lebanon (I have no doubt the Mossad could do that in their sleep).
Rinse and repeat.
Israeli intelligence has a lot of technical capability when it comes to manufacturing and modifying normal objects to contain surveillance and explosive devices. I don’t know if you’ve ever taken apart a pager but because unlike phones they don’t have to pack in a lot of complicated graphics, photographic lenses, and audio, and often have an externally removable battery (as pagers are frequently used by medical personnel and emergency workers who need to be able to replace the battery during a shift) there is a lot of room, certainly enough to pack a few dozen grams of plastique explosives, a tiny EBW detonator and capacitor, and a microcontroller tied into the display (or the buzzer) so all you have to do is open up the case and solder in a few connections. A skilled technician could probably crank out a few of these an hour.
If this was some kind of grey market sale (Hezbollah being considered a terrorist group worldwide it is unlikely that a reputable wholesaler would sell direct to them) it is unlikely the receiver had some previous accounting of serial numbers, and even if they did, it would be easy enough to purchase an order of the identical device in the same quantity, make the mods and alter the serial number and lot markings and firmware, and then just swap them out. Frankly, the purveyor may have been in on the swap; it would not be the first time an adversary purchased communications gear or weapons provided as a ploy to insert sabotaged product.
Stranger
What? Moishe’s Pagers R Us, risked their great Yelp reviews?
No, though I did write a software-defined-radio program to decode local pager signals. Kinda blew my mind, actually, that it’s transmitted totally in the clear. And that they’re still in common use by hospitals and other services (at least as of a few years ago). Confidential medical information just being blasted out.
These were encrypted, though undoubtedly they could have tapped into somewhere on the PCB that contained unencrypted data, or possibly just looked at what was sent to the display device.
Clearly so. But it’s still a very sophisticated operation. Lots of moving parts that could go wrong.
This was their new, secure method of communicating, within the past couple of months. Israel just demonstrated they’ve got them figured out really well, & probably picked up a lot of info on Hezbollah members that they previously didn’t know about just by sitting someone on a bench outside of an ER; anyone coming in with a groin, hip, or face injury is now assumed to be Hezbollah & if they have the ability to access medical records of anyone in the ERs today, they probably have name, address, & next of kin, too.
72 virgins ain’t worth it, I’d be resigning my commission effective immediately if I was a terrorist.
They killed 9, severely injured > 100, 2800 injured in total, their communications in total disarray, & fear in the membership. I’d say it was an extremely successful operation.
As opposed to their reputation of openly selling tech to militias and terrorist groups? Difficult choice…
Whatever purveyors were in on it, it was near the top of the chain; the sabotaged batch was not swapped in last week.
Israel is also really good at cracking encryption, particularly on mobile devices:
But given physical access they wouldn’t even have to break through any encryption. An installed microcontroller could pick a particular message going to the display, or a keyed signal to the buzzer/speaker, and just detonate from a message sent to the device in the clear without breaking any broadcast-to-peer signal. This was a pretty elaborate plan but not all that difficult to execute given the technical prowess and logistical capability of Mossad.
Stranger
Yeah–encryption is very hard to get right, even by serious players like Google or Apple. Some random “encrypted pager” maker? They’re gonna fold like a cheap suit vs. even an amateur cryptographer.
I doubt they needed to decrypt anything on the receiving end for the reasons you state. However, they may have needed to inject an encrypted message on the sending side so that the device would receive it properly. No real obstacle, I suspect.
I was thinking Stuxnet here as well. I am also leaning toward supply chain penetration and modification of the pagers. It seems any nation with a security outfit worth it’s salt has tentacles deep, deep under cover within it’s enemies and has thought-out all kinds of strategies and scenarios.
I agree. But, it is probably expensive and takes a long time to setup and I would think these are one-time tricks you get to pull. Your enemy, now wise to that crack in their security will probably not be fooled twice. When you build a better mouse trap you will eventually end up with smarter mice.
Obviously, Israel (presumably) thought it was worth playing this card now. I suspect they really do not want a two-front war with Hezbollah and Hamas so they are aggressively back-footing Hezbollah right now.
This NYT article has more info here and answers many of the questions in this thread. I’m sure it’s paywalled, but it came up for me for some reason.
Looks like they have deleted the product page, but Archive.org caught it yesterday. (Or still today for some time zones.)
I wonder if the Mossad owned the transport ship and just made all the modifications en route from Taiwan? Plenty of time to do it during the trip with not too many people.
Just a WAG. I hope someday we can learn how it was all accomplished.
Some observations/thoughts:
- pagers don’t transmit, so microphones make no sense; power requirements alone…
- any random pager manufacturer can use commodity asymmetric encryption if they want to, so I doubt anyone cracked encryption, not needed
- Hz (as a friend refers to Hezbollah) made a thing about using pagers because they aren’t trackable
- if I were naming this attack/project, it would be something like “MegaHz”
- I sure hope the trigger was a text saying something like “321BOOM!”
- one wonders how they were targeted specifically: a broadcast message (do those still exist for pagers?), or did they build a set of targets through connections - X called Y called Z called A…, and then send to all of them?
All pagers receive ALL pager communications in the area. They just ignore messages not meant for them.
Seems simple enough for the explosive part to have a chip listening for “321BOOM!” even if not meant for that pager.
Given the near 3,000 that went off I do not think they “targeted” anyone. They just set them all off. Perhaps they knew that Hezbollah liked shopping at Pagers-R-Us in Lebanon so made sure the altered pagers all went there.
Yeah. Good chance there’s a pin on one of the chips with access to the incoming bitstream.
I implemented something like this on a satellite so that I could trigger it to explode reboot remotely. But I wanted it to work no matter what state the main program was in, even totally frozen. So it just looked at the raw incoming radio bytes for a particular string. No other processing, no decoding–just a little state machine that looked for a certain random sequence. Mossad easily could have set up something similar that looked at the bits coming straight from the radio.
I think there were some reports that the pagers buzzed and then exploded a bit later for maximum damage. That might imply they had a real message, though they probably could have engaged the buzzer manually as well.
According to Israeli media, the reason the beepers were detonated now is that Israel learned that Hezbollah was getting suspicious of them - maybe some technician had taken one apart and found a strange piece - so it was a “use it or lose it” scenario.