Possible to trigger at battery explosions in pagers ?

[mikeselectricstuff]

Just saw some specs on the device used - battery is rechargeable so a lot easier to conceal something inside, as the battery wouldn't normally be accessed, and the unit probably not readily openable. 

[Gyro]

The exploding (now confirmed) walkie talkies implies some completely separate - ok, maybe using the same frequency band, or maybe the pager network again(?) receiver and trigger system. I wonder if any of the international agencies detected a high power transmission on what would normally be a band used by short range devices.

[electronx]

The interesting part is that the company can produce its own asic chips or just change the markings with laser. You may be able to access the device in devices that use the stm 32 series fake mcu. But how can you break the special asic? Did they put their own mini pcbs inside?

[tom66]

Wait, they're afraid that their cell phone transmissions will be intercepted, but they replace something that could use end to end encryption over the internet with... a pager that broadcasts in clear text (POCSAG has no encryption) at 2400 bps on a normal VHF frequency??

I mean, sure, they could be using some kind of codebook or basic cipher, but why would they not do the same on a cell network?

 

It also only supports 7-bit ASCII, which could be a challenge for a mostly-Arabic speaking country, although I suppose they are probably using Romanisation (not sure how widely it is understood there.)  Or they could just use English.

[Andy Chee]

Wait, they're afraid that their cell phone transmissions will be intercepted,

I think it's more that modern cell phones contain GPS..... terrorists don't exactly want to carry a tracking device on their person.

[tom66]

Wait, they're afraid that their cell phone transmissions will be intercepted,

I think it's more that modern cell phones contain GPS..... terrorists don't exactly want to carry a tracking device on their person.

They could surely buy enough Nokia 3310's if that was a concern.  Or a custom ROM on an Android phone to remove the GPS function altogether (probably want to kill WLAN too as that can be used for location finding).

Pagers seem like an odd decision.  But I guess I wouldn't expect terrorists to have the most logical thinking patterns.

[nctnico]

Wait, they're afraid that their cell phone transmissions will be intercepted,

I think it's more that modern cell phones contain GPS..... terrorists don't exactly want to carry a tracking device on their person.

GPS isn't the problem but modern day LTE cells are small so you can trace a phone to a couple of hundred meters while it moves from cell to cell. And don't be surprised encryption can be broken by state funded agencies.

[Andy Chee]

Wait, they're afraid that their cell phone transmissions will be intercepted,

I think it's more that modern cell phones contain GPS..... terrorists don't exactly want to carry a tracking device on their person.

They could surely buy enough Nokia 3310's if that was a concern.  Or a custom ROM on an Android phone to remove the GPS function altogether (probably want to kill WLAN too as that can be used for location finding).

Pagers seem like an odd decision.  But I guess I wouldn't expect terrorists to have the most logical thinking patterns.

Regardless of device we now know that Israeli intelligence is quite adept at intercepting Hezbollah's supply chain logistics. 

Therefore any bulk purchase and distribution of Nokia 3310, custom Android ROM, or pagers, by Hezbollah will likely be compromised.

The question is why did Hezbollah consolidate their supply of pagers to a single source?  Just like the semiconductor shortage for car manufacturers, it's generally a silly idea to put all your eggs in one basket.

Part of the answer is that within the counter-intelligence operations, Israel may have triggered a kneejerk reaction for Hezbollah to urgently switch their communications methods to pagers, thus opening a window for Israel.  But this latter point is speculation beyond the scope of this thread.

The general point is that single sourcing is generally a bad idea.

[EEVblog]

I suspect someone intercepted a delivery or broke into the room keeping the pagers on charge overnight and swapped them for new units with a bit of added C4.

Yep, man-in-the-middle hack.

[CatalinaWOW]

Something in this doesn't add up.  Sure you can track cell phones.  But knowing which phone to track when almost every man, woman and child has one is a much deeper problem.  Same principal applies to pagers, and now walkie talkies based on the latest news.

The implication is that the actor here has very deep intelligence in the Hesbollah network, and using this attack vector is at least partly being done to hide how that intelligence is being gathered.  Doesn't matter if it is Israel, the US (the obvious candidates) or Iran (who may feel that stirring up trouble is worth whatever damage happens to an ally, especially when there is someone obvious to blame it on) or some other party.  Several possibilities exist.

[David Hess]

Ringway Manchester mentions how the pagers were sourced:

[Andy Chee]

Something in this doesn't add up.  Sure you can track cell phones.  But knowing which phone to track when almost every man, woman and child has one is a much deeper problem.  Same principal applies to pagers, and now walkie talkies based on the latest news.

Some background context might be needed.

In July, a couple Hezbollah leaders were assassinated.  The news headliner was that one killed in Iran by rocket landing in his bedroom, but days before, a leader in Lebanon was also killed in the same manner.

In both cases, the fear from the leadership hierarchy was that cell phones providing tracking information, hence the general notice to all Hezbollah members ditch cell phones and switch to pagers.

This mass equipment transition was ripe for a supply chain attack.  But can such a supply chain attack be mobilised within 4-5 weeks?  Perhaps it was only possible due to the obscure use of outdated pagers.

[EEVblog]

Ringway Manchester mentions how the pagers were sourced:

The image at 5:45 of an ICOM handheld radio ripped apart indicates an explosion. You don't get that sort of damage from an overheated lithium battery.

[EEVblog]

In both cases, the fear from the leadership hierarchy was that cell phones providing tracking information, hence the general notice to all Hezbollah members ditch cell phones and switch to pagers. This mass equipment transition was ripe for a supply chain attack.  But can such a supply chain attack be mobilised within 4-5 weeks?

It can be if you had eariler planned to force them into that situation.
Seems to me that the most likely scenario is mass manufacture of batteries for various products (e.g. that ICOM radio above) with a hidden explosive inside instead of one of the cells, and a timer. You already have the battery for the timer and detonator.
No need to modify any product or hack it in harwdare or software, just a simple man-in-the-middle supply chain swap that could be performed at a rate of hundreds of units per hour. And they would pass cursorary teardown and xray inspections.

[EEVblog]

The Apollo AL924 pager uses a single AAA cell. So it's impressive if they got an explosive inside that and still had room for a cell to keep it operational.

[EEVblog]

UN explosive calculator:
https://unsaferguard.org/un-saferguard/blast-damage-estimation

10g of the reported PETN is fatal at 0.5m

[electronx]

We are talking about an effect in an area of ​​80 km diameter, definitely no local pager transmitter was used.

Moreover, you need the capcode of each device to send messages to pagers.

[tom66]

If I'm reading the spec correctly for POCSAG - it's only an 18-bit address ID.  262144 possible combinations.  At 2400 bit/s with 16 coded messages per packet (~800bits packet) you could spam every pager over the course of an hour or two with a high power transmitter.  Although if the pagers were modified, it could just be as simple as receiving a dedicated coded packet at the right time, they may well have had modified firmware.

[electronx]

If I'm reading the spec correctly for POCSAG - it's only an 18-bit address ID.  262144 possible combinations.  At 2400 bit/s with 16 coded messages per packet (~800bits packet) you could spam every pager over the course of an hour or two with a high power transmitter.  Although if the pagers were modified, it could just be as simple as receiving a dedicated coded packet at the right time, they may well have had modified firmware.

262144    I think if they used telegram it would be more private (except for the 123456 password combination)

[squadchannel]

My thoughts.
I consider it a time bomb in the form of a cylindrical cell battery.

The 18650 size would easily hold about the same amount of gunpowder as is in a bullet. It would be designed to run an RTC with a small 8-pin AVR in it and detonate at a specified time.
This would allow for some versatility, and many different things could be reworked into bombs.
Also, the battery would only need to be replaced with an explosive-filled battery.

It would also prevent the conditions for detonation from becoming inconsistent due to changes in pager settings, etc.

The modify won't even be discovered if you use the blue shrink tube sold in China.

Even if the battery capacity is reduced by half, or even if it is reduced to one day, which would have lasted for days to begin with, I will charge it when I get home. don't care.

AAA battery? hmmm..... It may be difficult.

[Andy Chee]

I think if they used telegram it would be more private

Hezbollah paranoia had been heightened by the July assassinations of Ismail Haniyeh in Iran and Fuad Shukr in Beirut (and Saleh al-Arouri in Beirut in January).

Hezbollah paranoia may have falsely attributed rocket targeting cell phone location, when in practice, cell phones may not to be directly to blame for revealing their location.  In practice, their locations could've also been revealed by an undercover human intelligence agent (i.e. James Bond 007).

Regardless of human intelligence or technology intelligence, Israel has capitalised on their paranoia.

[PA0PBZ]

If I'm reading the spec correctly for POCSAG - it's only an 18-bit address ID.  262144 possible combinations.  At 2400 bit/s with 16 coded messages per packet (~800bits packet) you could spam every pager over the course of an hour or two with a high power transmitter.  Although if the pagers were modified, it could just be as simple as receiving a dedicated coded packet at the right time, they may well have had modified firmware.

It's 18+3 bits, so 2M combinations. I don't think there was an internal timer, POCSAG has broadcast and group addressing and even if that was not the case it's easy to modify the firmware to listen to a specific address. It makes no sense to use an internal timer because you want to pick the right moment to make them go off, most sources say that they were triggered because the 'modification' was close to discovery. I guess that's also why they triggered the handhelds, better use them now while you still have it.

[tom66]

If I'm reading the spec correctly for POCSAG - it's only an 18-bit address ID.  262144 possible combinations.  At 2400 bit/s with 16 coded messages per packet (~800bits packet) you could spam every pager over the course of an hour or two with a high power transmitter.  Although if the pagers were modified, it could just be as simple as receiving a dedicated coded packet at the right time, they may well have had modified firmware.

It's 18+3 bits, so 2M combinations. I don't think there was an internal timer, POCSAG has broadcast and group addressing and even if that was not the case it's easy to modify the firmware to listen to a specific address. It makes no sense to use an internal timer because you want to pick the right moment to make them go off, most sources say that they were triggered because the 'modification' was close to discovery. I guess that's also why they triggered the handhelds, better use them now while you still have it.

The 3 bits refer to which of the N codewords in the following message to look for, as far as I understand. 

A BBC video shows the detonations were not simultaneous, though they did occur within short moments of each other:
https://www.bbc.co.uk/news/videos/cdenk2721p8o

which lends credence to the idea of spamming the ID numbers (it's quite possible a limited range was identified, or these are factory-assigned, making the problem far easier.)

[tszaboo]

Something in this doesn't add up.  Sure you can track cell phones.  But knowing which phone to track when almost every man, woman and child has one is a much deeper problem.  Same principal applies to pagers, and now walkie talkies based on the latest news.

Your funding and resources are very high when your existence as a country relies on the performance of your secret agency. You can track shipments, IMIE numbers, investigate anyone who buys ie more than 10 phones. Plus you already have a large database of the enemy combatants.

The exploding (now confirmed) walkie talkies implies some completely separate - ok, maybe using the same frequency band, or maybe the pager network again(?) receiver and trigger system. I wonder if any of the international agencies detected a high power transmission on what would normally be a band used by short range devices.

Israel has several aircrafts that can be used for Electronic Warfare. Imagine planes like the old AWACS just much more modern, with phased array radars, and radios covering every bands. It's really not rocket science to send (or receive) any signals from a neighboring country, you wouldn't even need to cross the border. And even if you need to, we are talking about countries that have 100 years between the technology of their airplanes. Lebanon has Cessna 208 listed as their best "combat aircraft", zero fighter aircrafts, not even old MIGs. There is practically nothing they can do to defend their own airspace from someone flying in and transmitting whatever they want.

[PA0PBZ]

The 3 bits refer to which of the N codewords in the following message to look for, as far as I understand. 

A BBC video shows the detonations were not simultaneous, though they did occur within short moments of each other:
https://www.bbc.co.uk/news/videos/cdenk2721p8o

which lends credence to the idea of spamming the ID numbers (it's quite possible a limited range was identified, or these are factory-assigned, making the problem far easier.)

Code: [Select]

Although the address (also referred to as a RIC - Radio Identity Code or CAP code - Channel Access Protocol code)[5] is transmitted as 18 bits the actual address is 21-bits long:
the remaining three bits are derived from which of the 8 pairs of codewords in the batch the address is sent in.
This strategy allows the receiver to turn off for a considerable percentage of the time as it only needs to listen to the pair that applies to it, thus saving a significant amount of battery power.
The detonations not being simultaneous makes sense because as far as we know it was based on increasing the temperature (of the battery) so depending on ambient temperature and other factors.