An illustration of electronic devices with bomb fuses coming out of the top.
Last week, thousands of portable devices exploded across Lebanon, killing more than 30 people and wounding thousands. Will other devices be vulnerable? AI-generated/Worldcrunch

-Analysis-

BEIRUT — The shock in the streets of Lebanon and among observers around the world has not yet subsided after what happened on the afternoon of Tuesday, September 17. In an instant, more than 4,000 pagers, a mostly obsolete communication device, turned into ticking time bombs in the hands and pockets of Hezbollah members in Lebanon, killing more than 30 people and wounding thousands, including civilians and children.

The speculation surrounding the attack is still circulating at full speed, as neither Hezbollah nor Israel, or any independent party, has confirmed or denied either of the two widespread theories explaining what happened. One theory posits that malware was planted, causing the devices to overheat simultaneously to blow up the batteries, while the other suggests that explosive charges were planted and activated remotely.

For the latest news & views from every corner of the world, Worldcrunch Today is the only truly international newsletter. Sign up here.

What is certain so far is that the exploding devices were part of a batch of pagers imported by Hezbollah from the Taiwanese company Golden Apollo. The company’s CEO quickly dismissed accusations of involvement, clarifying that his company did not manufacture the exploding devices. Instead, they were made by the Hungarian company BAC, based in Budapest, whose president also denied any role in the attack. The New York Times later reported that the Hungarian company, along with two other shell companies, were part of an Israeli intelligence front that had been operating for over two years.

Regardless of who planted malware or explosive charges, what happened is a supply chain attack in its most traditional definition: an attack targeting a trusted third-party supplier, in this case, Golden Apollo, which provides essential services or software for the supply chain.

While today’s most common supply chain attacks involve injecting malicious code into software to infect all its users, traditional supply chain attacks involve compromising the physical components themselves for the same purpose, which is what happened here.

Rising threat

In just the past few years, software supply chain attacks have gone from a novelty to becoming a top national security priority. According to the 2024 Verizon Data Breach Investigations Report, the use of vulnerabilities to initiate breaches increased by 180% in 2023 compared to 2022. Among these breaches, 15% involved a third party or intermediary supplier, such as software supply chains, hosting partners’ infrastructure, or data custodians.

An important detail to note is that the consequences of supply chain attacks are usually long-lasting and cannot be detected quickly, whether from a technical threat perspective or the perpetrator’s liability. For example, in October 2023, nearly three years after the infamous SolarWinds hack, which harmed more than 18,000 U.S. organizations, the U.S. Securities and Exchange Commission accused SolarWinds of misleading investors about its cybersecurity practices and risks.

This accusation came after a million settlement for a class-action lawsuit related to the breach. On the other side of the world, questions like “Have all the affected pagers exploded?” and “Are there more booby-trapped devices?” remain unanswered.

Trust in tech

What will likely be dubbed the “Pagers” attack, while not wholly unprecedented, has raised new terrifying questions for all to consider, marking a potential turning point in the public’s trust in their electronic devices. This can easily be observed in the questions people in Lebanon and Syria are asking on social media about whether they should disconnect devices such as solar power batteries and TV remotes.

What is new is that the attack was state-sponsored.

On Monday, Iran’s elite Revolutionary Guards ordered all members to stop using any type of communication devices after last week’s events in Lebanon. Senior Iranian security officials told Reuters that a large-scale operation is underway by the Guards to inspect all devices, not just communication equipment.

Indeed, what is different about this supply chain attack is that it was not to carry out a specific act of sabotage but to execute a distributed deadly attack. Also, what is new is that the attack was state-sponsored, which will likely lead to public discussions in the coming days about controlling supply chains and the strategic independence of assets and digital sovereignty.

Global tech security

It is crucial to understand better whether the booby-trapping occurred during manufacturing by the Hungarian intermediary, during transport or at the system operator level before the devices were allocated to Hezbollah members. This will inevitably push technology manufacturers and importers to focus more on other methods along the supply chain beyond their control that could turn ordinary consumer products into lethal weapons. If the manufacturer of these devices had no desire to be involved in such a scenario, this will mean that operational security will become more challenging, leading to more complexity, costs, and reliance on “trusted” parties, which are becoming harder to define by the day.

Regardless of how the devices were tampered with, the attacks could accelerate the adoption of many policies that have already been implemented in several manufacturing countries, which advocate for producing technology domestically within the state’s borders to maintain stricter control over supply chain security, whether it’s smartphones, drones, social media applications, or anything else. The largest example of this is the CHIPS Act, a federal law passed by the U.S. Congress and signed by President Joe Biden, which allocates 0 billion to fund domestic research and manufacturing of semiconductors in the U.S. to “strengthen U.S. supply chain resilience” within the broader context of the tech cold war with China.

This policy has its roots in the tenure of former president and current candidate Donald Trump, with his war against the Chinese tech giant Huawei, which he blacklisted, as he threatened to punish anyone using its infrastructure at any stage of U.S. product manufacturing. In the European Union, trade barriers are gradually being erected, and foreign companies are being asked to manufacture their goods supplied to the EU within its borders, including U.S. tech giants, who are facing pressures and demands to build more European data centers.

A photo ofLebanese army explosives experts work on preparing the site to explode a walkie- talkie that they found discarded a day after several devises exploded killing pro-Iranian Hezbollah militants.
Lebanese army explosives experts work on preparing the site to explode a walkie- talkie that they found discarded a day after several devices exploded killing pro-Iranian Hezbollah militants. – Stringer/ZUMA

Digital decoupling

The explosion of the pagers among Hezbollah members and Iranian diplomats will no doubt accelerate a trend by U.S. rivals for years to decouple from global technology. The most famous example is China, which, since 1990, has controlled the flow of information between global cyberspace and local cyberspace through its “Great Firewall,” controlling local access to the web by restricting access to specific foreign sites.

This situation is unprecedented in its scope.

Russia and Iran took notes from China and went a step further, creating internal local networks that can be cut off from the global internet if necessary.

Iran’s National Information Network is now fully operational, and the country is trying to force internet users to create Iranian websites and competitors to Western apps on Iran’s local internet rather than the global web. Russia has done the same through its “sovereign internet” law, signed by Putin in 2019, and its own internet, Runet, which Russia has used to mitigate the impact of being cut off from global systems following its 2022 invasion of Ukraine.

New security protocols

After witnessing what happened in Lebanon, it is expected that we will see a comprehensive reassessment that will push companies, especially tech manufacturers, to tighten their supply chain security protocols. This situation is unprecedented in its scope, though familiar in its concept, and it is likely that many have not previously taken the security of their cross-border production processes seriously. This is especially true for medium-sized companies, which lack the budget to fully prepare for such threats.

It doesn’t stop at companies, as the incident has also had an impact on public sentiment, fueled by calls on social media and some media outlets in the Middle East to abandon everything “Western,” from phones to devices and equipment. The “Pagers” attacks have begun to change public perceptions of personal electronic devices, transforming them from seemingly personal devices meant for human convenience into ones carrying the potential for mass destruction. This undermines the diligent efforts of major companies to reassure their customers that their devices are truly safe.

The final point relates to global security. Before the September 17 attack, the idea of using personal devices to eliminate a pre-selected group of individuals was not part of the global zeitgeist. Israel has now made that possibility real. If the narrative that the devices were booby-trapped with explosives before arriving in Lebanon is true, this means that they passed through inspection at least two airports unnoticed. Such a seemingly banal security oversight in the face of an attack that nobody could have predicted: sound a bit like what the world witnessed on Sep. 11 attacks more than two decades ago.

Translated and Adapted by: