Explosions of Hezbollah pagers, two-way radios increase supply-chain scrutiny

Last week’s unprecedented explosions of land-mobile-radio (LMR) handsets and pagers used by Hezbollah personnel in Lebanon has many in the critical-communications industry expecting increased scrutiny of supply-chain security for all forms of devices.

On Sept. 17, thousands of pagers that were intended to be used by Hezbollah personnel exploded at the same in the middle of the afternoon Lebanon time. A day later, hundreds of portable radios being used by Hezbollah members also exploded. Combined, the attacks have resulted in more than 40 deaths and more than 3,000 injured, according to numerous media reports.

Multiple news reports have attributed the device explosions to Israel, but Israel officials have not claimed responsibility for the attacks.

In the cases of both the pagers and the two-way radios, the supposed manufacturers—Taiwanese firm Gold Apollo for the pagers and Icom for the LMR portables—have indicated they did not make the exploding devices. Icom noted that it discontinued the IC-V82—the model designation on many of the handheld radios that exploded, based on an exploded outside shell—about a decade ago.

“We believe that the possibility that the radio that exploded was an Icom product is extremely low,” Icom said in a statement released last week, citing the lack of a hologram sticker and the lack of normal tracking information for the devices.

But Icom noted the potential implications of the LMR explosions on the industry, regardless of the entity that manufactured the product.

“We are saddened that radios/communication devices, which should be a tool for ensuring safety and peace of mind, have been used in this way, regardless of whether they are manufactured by our company or not,” according to Icom’s statement. “We are also unable to suppress our deep disappointment that there has been a loss in confidence in two-way radios in general.

“As a company that aims to creates a safe and prosperous society through advanced communication, we will continue to work to ensure that we can supply products that can be used with peace of mind to the market.”

Supply chains under a microscope

Exactly how the Hezbollah pagers and two-way radios were transformed into explosive devices has been the subject of considerable speculation during the past week. However, industry sources and analysts seem to agree that (1) the scheme required significant intelligence of Hezbollah procurement and operational processes, and (2) that the perpetrator interrupted the supply chain of the devices in some way to rig them in a manner that would allow them to be detonated remotely.

Supply chains have been the focus of increased attention during the past five years, notably since the global pandemic wreaked havoc on the ability of companies to secure key parts for products—particularly chips for many LMR products.

In addition, there has been significant scrutiny of software supply chains, causing organizations of all kinds scrambling to collect a “software bill of materials” on all solutions, so they can be better aware of potential issues when seemingly inevitable “zero-day” vulnerabilities are exposed.

But the explosion of the Hezbollah pagers and LMR handsets could result in supply-chain scrutiny being taken to a new level, according to Ildefonso de la Cruz, principal analyst of industrial and government critical communications at Omdia (an Informa Tech company).

“The recent events in Lebanon  have tragically underscored the vital importance of a secure supply chain,” de la Cruz said in a prepared statement provided to IWCE’s Urgent Communications. “The explosions of these allegedly tampered critical communications devices have exposed a very real vulnerability that can—like in this case—cost lives and other dire consequences.”

CritComm Insights Principal Analyst Ken Rehbehn agreed.

“Supply chain is an issue, and this points out some of the fragilities of the supply chain,” Rehbehn said during an interview with IWCE’s Urgent Communications. “When you have transport of material from one part of the world to another, there’s an opportunity for mischief. The mechanisms, processes and seals that are needed to detect and mitigate [material tampering] are an important part of your supply chain.

“This episode points to an evolving risk landscape.”

BK Technologies President and CEO John Suzuki outlined the challenge for manufacturers.

“You have to be able to secure the product, from the components, through manufacturing, and through distribution to the end customer—that whole chain of custody of the radio,” Suzuki said during an interview with IWCE’s Urgent Communications. “[This is needed] to ensure that no one can inject malware into the product or—in this case in Lebanon—it looks like they put some explosive material inside the radio.

“So, the whole chain of custody—from components, through manufacturing and through distribution to the end customer—[requires that] you have to have a system in place that ensures that the products haven’t been tampered with.”

Safeguards to prevent tampering

Suzuki said BK Technologies takes several precautions in an effort to secure the supply chain for its two-way radios, which now are manufactured by East West Manufacturing.

“We have a BK employee that’s in the main production facility in Juarez, Mexico,” Suzuki said. “We do have accessories that come from other plants where we don’t have [an employee on site], but for the radios, we do have a BK employee there. That plant is a secure environment where we produce our radios. It’s not a shared line with other products; it’s only BK products, and it’s in a secure area. So, those products come off the line, they get packed, they get sealed, and then they get shipped to us.

“Once it leaves the plant, those products are all sealed with a tamper-proof seal. We know that, if we receive it and the seal’s broken, then the products are suspect. We use tamper-proof seals throughout the chain of custody when we move products, right to the end customer.”

To date, BK Technologies has not encountered an issue, but Suzuki outlined what the company plans to do, if the situation arises.

“If we did have a breach in that security, we’d quarantine the product, and then we’d have to inspect it—both from a cybersecurity standpoint, as well as looking to see if the radios had been opened and if anything had been changed on the product,” Suzuki said.

Tait Communications takes similar measures to ensure its LMR supply chain, which is compressed by the fact that its factory and key departments are all located at its global headquarters in Christchurch, New Zealand.

“Tait Communications’ supply chains—from our suppliers through to our customers—are secure and prevent any potential tampering of our products,” according to a Tait statement provided to IWCE’s Urgent Communications. “We exclusively work with approved suppliers, and our freight forwarding network is carefully selected to ensure that all partners adhere to the internationally adopted standards and practices for preventing unlawful interference. This includes compliance with internationally recognized procedures for safe and secure cross-border movements.

“Our shipments are tracked and monitored by certified partners who are members of regulatory bodies … Furthermore, we maintain full control of Tait-owned secure manufacturing and storage facilities worldwide.”

Tait Communications also states that it abides by international counterterrorism obligations, “including not making property or financial services available to designated terrorist entities.”

One thing that Tait, Icom and BK Technologies all emphasized is the need for purchasers to buy products only from the companies’ authorized distributors to ensure that the supply chain has been secure throughout the life of the product, although some sources acknowledged that may not be practical for an organization like Hezbollah.

“All of the radios we manufacture are assigned a serial number,” Icom said in its latest statement on the matter. “When we receive an order from an overseas authorized distributor, the product is shipped from our manufacturing subsidiary, Wakayama Icom Co., Ltd. The products are delivered to the authorized distributors by a forwarder (a company that handles the transportation of goods). We keep track of all the information related to the transportation companies involved in this process, including the means and routes used, by linking it to the serial numbers.

“In addition, it is not confirmed which serial number product will be sold to which end user until the time of sale. Therefore, it can be considered that it is virtually impossible to target radio equipment used by a specific end user in the distribution channel to our authorized distributors.”

Is this the Stuxnet for hardware attacks?

Citing the unprecedented nature of the scheme to make Hezbollah pagers and two-way radios explode, several sources interviewed by IWCE’s Urgent Communications for this article offered a software parallel: the Stuxnet computer worm that was deployed to undermine Iran’s nuclear-development program.

Cyberattacks certainly existed before Stuxnet, but this attack on the Iranian nuclear program generally is recognized as the first cyberweapon that demonstrated the impact that cyberattacks could have on the physical world. Many observers have since cited the Stuxnet deployment as the incident that caused several nation-states to concentrate their destructive efforts in the cyber arena.

Could the exploding Hezbollah devices establish a similar precedent for attacks in the physical space? BK Technologies’ Suzuki said he believes it is a question that many decision makers throughout the world are pondering.

“I can assure you that is the case. This was a huge move,” Suzuki said. “Whoever did this, it was intentional and had great knowledge [of Hezbollah’s supply chain]—it was a sophisticated attack.

“And it’s very scary, because people use handheld electronics across the board. I think you’ll see governments taking this a lot more seriously to ensure that chain of custody of products as they move through the supply chain, from components right to the end customer.”

Rehbehn echoed the sentiment that the explosion of Hezbollah devices could set a Stuxnet-like attack precedent within the hardware realm.

“I totally believe that,” Rehbehn said. “Because it shows that, if you have mass-produced equipment and you ship it around the world, if somebody applies what we would call a man-in the-middle attack on the shipment, then modifies the shipment and carefully repackages it—so it looks identical—you’re at risk.

“I think it’s a complex operation to execute, but it certainly points out that this can be done.”

While the events in Lebanon demonstrate that it can be done, Rehbehn said he believes the complexity associated with rigging the Hezbollah devices to explode may be so great that the tactic cannot be duplicated easily, unlike the deployment of malware that has been at the heart of many cyberattacks during the past decade.

“I think it would require significant intelligence assets inside the organizations that are at the heart of the supply chain—for instance, the integrator that has created a component and is shipping it, [like] a handset, a pager—or the dealer channel,” Rehbehn said. “Whatever organization that controls—or has eyes on—who gets what from the factory, that intelligence allows the interception and mutation of the products to occur. This is a difficult intelligence insertion point.

“This [scheme to explode Hezbollah pagers and two-way radios takes] an unbelievable level of sophistication and intelligence prowess.”