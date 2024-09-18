Lebanon is reeling from Israel's deadly attacks that saw handheld radios detonate on Wednesday and thousands of pagers simultaneously detonate to <a href="https://www.thenationalnews.com/news/mena/2024/09/18/pager-explosions-lebanon/" target="_blank">kill twelve people including two children, and injure nearly 3,000 </a>the day before. In the aftermath, concern grows on whether consumer electronics can be a means to inflict physical harm on unsuspecting individuals. The short answer is, yes, it can be done – but the methods on how to actually do this are more complex and not easy to do. Without physical contact with the device, it is difficult to access the firmware – the software that impacts the hardware – needed to manipulate physical components such as a battery to let it overheat and possibly ignite. This is why perpetrators resort to wirelessly or remotely accessing them in most cases to carry out potentially damaging activities. Pagers, devices that can receive alphanumeric messages, were popular in the 1990s. While official verification about whether Israeli officials accessed Hezbollah pagers physically or accessed them en masse remotely is yet to be confirmed, Tuesday's attack shows that perpetrators are skilled enough to tap into older technology. This raises questions about how much more damage can be done, particularly with higher powered modern equipment. Today, devices from popular ones such as laptops to unassuming ones like thermostats – anything using battery or heating – can be hacked remotely. Printers, in particular, can have their ink heated enough to burn the paper in them, while compromised auto systems can disable components such as brakes. <a href="https://www.thenationalnews.com/business/technology/2021/07/27/cyber-criminals-will-weaponise-operational-technology-environments-to-harm-humans-by-2025/" target="_blank">Gartner in 2021 had warned</a> that cyber criminals would weaponise operational technology environments to harm or kill humans in the next four years. “In all these devices, there's a tiny, little computer there … [pagers] are kind of slow, but they're still computers,” Robert Graham, chief executive of Atlanta-based cyber security company Errata Security, told <i>The National</i>. “So whoever intercepted these would likely write their own software, change the software and put that on the devices, so that they would operate the same,”<mark class="hl_yellow"> </mark>he added. Except now they can be activated to do something malicious. It is very difficult to remotely reprogramme the physical hardware of a battery to overheat to dangerous enough levels to cause an explosion, Mr Graham explained. A phone battery would need to be fully charged to have any detrimental effect if triggered. It is accepted that tech devices, when hacked in certain ways, can potentially cause physical harm – but there are several factors that need to be fulfilled in order for this to happen. Smartphones, the most used and important consumer electronic device, is obviously a candidate for an attack. The good news is that they may be a costly option for attackers thanks to more stringent measures taken by their makers. Advanced technology has also contributed to preventing this, particularly within the top tier of smartphones from Apple and Google. Apps on devices from Samsung Electronics and Huawei Technologies “are known to often have a lot more bugs” compared to the previous two, Mr Graham said. “First part is getting into the phones and the second part is then, once you're in there, to do something bad for the battery … an Android [mobile] or iPhone these days. It's more practical for a lot of other devices,” he added. Mohamed Belarbi, chief executive of Abu Dhabi-based cyber security firm Cypherleak, agrees: the cost of hacking into a well-manufactured and secured device could command astronomical amounts. “Specialisation comes into the understanding the complexity of the software … when it comes to firmware, you need a lot of technical background and skills, because we're talking about Internet of Things cyber security,” he told <i>The National</i>. You'd have to be “able to bypass the security safeguards that are built in by the manufacturers … we've seen this before where the cost of hacking into an Apple iPhone could cost millions of dollars – now imagine multiplying that to access something as critical and as dangerous as blowing up a pager or blowing up a turbine?” Yet for less protected or more flawed systems, everyday items can be used to hack into your devices. There's the humble data and power cable that can be bought on any e-commerce site such as Amazon, the most popular of which today is USB-C: a simple connection has the ability to severely compromise a device. “These things are becoming so sophisticated that today you can buy off on the internet a USB-C cable that has a little computer embedded in the head of the of the cable,” Mr Belarbi said. This device can manipulate the physical components of technology to a desired, and in many cases malicious, effect. <a href="https://www.thenationalnews.com/business/technology/2023/04/11/fbi-warns-against-using-public-charging-stations-due-to-malware-and-juice-jacking-risk/" target="_blank">The FBI last year warned against the use of public charging points</a> for electronic devices, saying they can be a gateway for cyber criminals. Charging stations have become ubiquitous in public spaces, including malls, hotels, restaurants and parks, providing users a convenient way to power up their devices. However, the practice has paved the way for what is called “juice jacking”, which simply means using a USB connection to compromise a device. “The moment you start using it to charge, the hacker is able to access your phone and to gather data from your phone. And this is quite common,” Mr Belarbi added. Where technology is manufactured and who is involved in the supply chain factors in to the risk, particularly in today's more globalised environment. For example, a lot of devices and their components are sourced from China, which means then there's always a chance that the state or its actors might intervene, similar to the US government's backdoor access to online platforms, he said. “I think it's just an inherent risk that we have to live with and determine, what are we comfortable with and what are we not comfortable with.” Another element that has come up is why an attack similar to the one carried out in Lebanon was, or has not been, used in Gaza. The answer is because a lot of the technology in Gaza is locally made, so it is closed; as such, its internet and communication networks can communicate among themselves. “They're able to communicate without interference from outside operators or actors,” Mr Belarbi said. Unlike in the case of Israel's attack on Hezbollah, where radio waves could have been used to cause temporary interference. “So you always see … the benefit, pros and cons of having your own technology. Yes, in terms of maturity and advancement, it might not catch up with whatever is out there commercially, but it definitely allows you to avoid a lot of the issues associated with technology tampering.” Two elements come to mind when protecting yourself for such an attack: one is personal and behaviour one can practice, such as securing devices against hacking. The other, trickier part is ascertaining where the devices one uses comes from. “There's nothing you can do if a phone or device has been tampered with at the manufacturer or supply chain level before it reaches you. Because even if you open an iPhone or a Samsung, you wouldn't be able to tell which components have been tampered with if there's something to be implemented,” Mr Belarbi said. The even better news is that companies, especially the biggest ones, ensure a strict ecosystem in the components of their devices – but not all firms are built equally. “We have companies that are ahead of the curve – Apple and Google – and [others] are behind the curve, who do the same stupid thing how hackers find how to exploit and take advantage of,” Mr Graham said. “Most electronic devices are behind the curve, and we can probably find the bug pretty easily, whereas Apple and Android are very, very tough.” But the Lebanon incident also goes beyond being a wake-up call – it's a “stark reminder that our approach to supply chain security needs a complete overhaul”, Andreas Hassellof, chief executive of Dubai-based technology company Ombori, told <i>The National</i>. “We're facing a new breed of threats that blur the lines between digital and physical vulnerabilities,” he said, noting the previous advanced supply chain attacks on SolarWinds, NotPetya and SuperMicro. “The message is clear: adapt or become a target. Organisations clinging to outdated security models aren't just falling behind – they're inviting disaster.”