Deadly device explosions in Lebanon mean supply chain may have been compromised

The detonation of hundreds of electronic devices used by members of Hezbollah is the result of potentially a years long intelligence operation that likely required the infiltration of the manufacturing supply chain and access to the pagers, security experts say.

"Tactically and operationally … along with the level of sophistication, tradescraft and professionalism involved — it's unbelievable," said Assaf Orion, a retired Israeli brigadier general and defence strategist.

On Tuesday, at least 12 people were killed, including two children, with some 2,800 people wounded when hundreds of pagers used by Hezbollah members began detonating wherever they happened to be — in homes, cars, at grocery stores and in cafes. The following day, in a second wave of attacks, at least 20 people were killed and 450 were wounded when walkie-talkies and solar equipment used by Hezbollah exploded in Beirut and multiple parts of Lebanon.

Although Israel has neither confirmed or denied its involvement, its widely believed that intelligence officials from the country were responsible for the attacks.

In the first wave of bombings, it appeared that small amounts of explosives had been hidden in thousands of pagers used by Hezbollah, which were then remotely detonated. That has led security experts to speculate that intelligence officials were able to compromise the supply chain and gain access to the pagers. 

In the world of electronics and computers, there are a lot of players involved in the supply chain, according to Oleg Brodt, head of R&D and Innovation for the Cybersecurity Research Center at Ben-Gurion University in Israel. Those would include the hardware manufacturers, software manufacturers and different parts coming from different places.

"You have the battery coming from one factory, you have the chipset coming from another and the other chips and the modems come in from elsewhere," Brodt said.

Eventually, he said, everything is being assembled at the final factory, which may also manufacture some of the components of the device.

"We can look at every stage of the chain and think about who can get compromised."

But experts suggest it's difficult to determine where exactly the supply chain was compromised as there are a number of potential points of entry.

"It depends on the capability of the actor," Brodt said, noting that if they gained access to the battery factory, for example, they could, theoretically, replace the batteries with ones containing explosives. 

"It really depends on the channels that those actors already have to some parts of the supply chain."

But at some point in the chain, he said, intelligence officials would need to compromise it in a way that would allow them to insert an explosive material into the device along with some sort of software that would act as the trigger.

The software could be something preprogrammed before it gets to the user, said Josep Jornet, a professor of electrical and computer engineering at Northeastern University and the associate director of the school's Institute for the Wireless Internet of Things.