Exploding pagers a brazen supply chain attack

The thousands of pagers that exploded yesterday hint at how nasty supply chain attacks could get.

When I first read about pagers exploding in Lebanon, I was incredulous that a cyber-attack could get lithium-ion batteries to explode.

After all, we just had a data centre fire in Singapore that started from lithium-ion batteries - and which took over a day to extinguish.

As it turns out, the reality is even worse.

Pinpoint precision

On Tuesday, thousands of pagers started buzzing incessantly, seemingly due to an error. But when users attempted to quell it by pressing a button, they exploded.

Wait, what's a pager?

• Small, portable communication device.
• Uses radio signals to transmit messages.
• Can receive short messages on a small screen.

While replaced by mobile phones in most cases, pagers are still common in industries such as healthcare and emergency services.

In this case, the "low-tech" pagers were imported earlier this year and used by Hezbollah to sidestep the dangers of smartphones.

The plan backfired. In an extraordinary attack that had no precedent, they were targeted as part of a brazen supply chain attack.

• Shipment of pager was intercepted and modified.
• Implanted with explosives the size of a pencil eraser.
• Thousands were injured, many grievously.

Supply chain attacks

Supply chain attacks are not new. It's just that they were never quite so... lethal.

• The US had for years intercepted routers, servers, and other computer network devices to embed surveillance tools before export.
• Earlier this year, a backdoor was discovered - by accident - in the XZ Utils data compression library used by many Linux distributions.
• Then there is the SolarWinds hack of 2020 where attackers inserted malware into software updates that went out to an estimated 18,000 customers.

Securing the supply chain

There are two main approaches to supply chain attacks, either hardware or software. Both must be secured against.

When I interviewed Yuriy Bulygin of Eclypsium last year, he explained that supply chain security cannot be a one-time check but is an ongoing exercise that lasts through the entire lifecycle of the product.

As our devices get smarter and are packed with more electronics, the impact of supply chain attacks will increase, even as it gets more difficult to find and defend against them.

Do you think we are doing enough to mitigate against the impact of supply chain attacks?

For now, I'll keep my smartphone out of my pocket. As a precautionary measure, you know.