What does AR-924 pager tampering tell us about the tech supply chain?

How thousands of pagers reportedly used by Hezbollah members in Lebanon were infiltrated and wired to explode has baffled cybersecurity and supply chain experts.

The pagers exploded nearly simultaneously on Tuesday in Lebanon and Syria, killing at least 12 people, including two children, and wounding around 2,800. Hezbollah and the Lebanese government blamed Israel.

The AR-924 pagers were manufactured by BAC Consulting KFT, based in the Hungarian capital of Budapest, according to a statement released by Gold Apollo, a Taiwanese firm that authorised the use of its brand on the pagers.

An American official said Israel briefed the United States on Tuesday after the attack, in which small amounts of explosives hidden in the pagers were detonated, says AP.

But how and when they were planted remains a mystery.

Tampering with an electronic gadget is a “highly complex” operation, says Lukasz Olejnik, an independent cybersecurity and privacy consultant.

“Implanting explosives into small electronic devices like pagers requires significant technical skill, as well as access to the devices during production or delivery,” he tells TRT World.

“It involves not only inserting the explosives but also developing a reliable detonation mechanism, all without compromising the device’s normal functioning or arousing suspicion. The material must also be stable, light, and explode violently.”

Hezbollah had brought in the pagers just months ago. A relatively outdated technology, the pager device is more secure than cellular phones, which can be easily tracked.

It remains unclear whether the pagers were brought in via sea or air freight into Lebanon.

Initially, some experts had suggested that an Israeli operation involved a sophisticated cyberattack. But now, as more information has come out, tech specialists believe it can’t be a simple case of software manipulation that leads hardware to explode.

“There’s no evidence that suggests hacking played a significant role in triggering the explosions. Nothing points to that, as simple as that,” says Olejnik.

Explosions caused by a cyberattack couldn’t have been as reliable or repeatable as witnessed in the case of the Lebanon attack, he says.

“Instead, what we know is that the devices set off reliably. This suggests that the devices were likely pre-planted with explosives and triggered through other means, such as a paging signal,” says Olejnik, who is also a Senior Research Fellow at the Department of War Studies of King’s College London.

“While a cyber operation element might have been involved in some minor manner or activation, the physical presence of explosives points to a supply chain compromise rather than a pure cyberattack.”

The AR-924 model pagers work on rechargeable lithium batteries. Even though the lithium batteries can ignite, they alone cannot cause the damage seen in Lebanon.

Videos and reports suggest that pagers exploded after heating up - people were killed and left injured while they were busy buying groceries or working in offices.

Lebanon’s health ministry says healthcare workers and two children were among those killed.

The explosion of pagers has put a spotlight on the vulnerability of modern supply chains as makers of electronic gadgets source components from around the world before they are assembled and shipped via a complex operation.

“The explosives could have been planted at any point in the supply chain—during manufacturing, assembly, or even after the devices were delivered,” says Olejnik.

“However, recent acquisitions suggest the compromise might have occurred during production or distribution, where access to the internal components would have been possible.”

The attack comes at a time when wealthy nations, including the US, Germany and Japan, are working to onshore production of high-tech equipment, including semiconductors.

The global shutdowns during the Covid-19 pandemic exposed companies to vulnerabilities in the supply chains as components for modern products come from different countries.

Low-income and developing countries would continue to rely on imports for things like smartphones, computers and electric vehicles.

But Olejnik says not everyone should be worried about what happened in Lebanon.

“This looks like an unprecedented and well-resourced operation. It’s a one-off event.”