A Corporate security view of the Pager Attack on Hezbollah

A case for threat modelling beyond VAPT

On September 17, 2024, a series of coordinated explosions reportedly rocked Lebanon and Syria, killing members of Hezbollah, an Iranian-backed militant group. The attack, which allegedly killed at least nine people and injured nearly 3,000, was said to have been carried out with a novel and sophisticated technique: exploding pagers. This incident highlights the potential threats that electronic devices pose and underscores why legacy threat management practices such as Vulnerability Assessment and Penetration Testing (VAPT) for applications must be modernised.

Industry conversations indicate that Internet of Things (IoT) security and red teaming are often considered too advanced, while even basic social engineering techniques are not fully explored. Many organisations rely solely on the basic compliance requirement for VAPT. There's a common assumption that threats primarily originate from Internet-connected devices. However, we must recognise that threat modelling is not limited to the Internet, computers, or even mobile phones.

Mechanism of the Alleged Attack

According to reports, Israel's Mossad spy agency allegedly planted explosives inside 5,000 pagers imported by Hezbollah months before the attack. A Lebanese security source claimed the pagers were from Taiwan-based Gold Apollo, which stated that the AR-924 model was produced and sold by BAC. Gold Apollo reportedly said, "We only provide brand trademark authorization and have no involvement in the design or manufacturing of this product."

It's alleged that Mossad injected a board inside the devices containing explosive material that could receive a detonation code. This modification was reportedly very difficult to detect through any means, even with specialised devices or scanners.

Note: For critical public services, supply chain compromise should be a part of threat modelling.

While some speculated that the lithium batteries were designed to explode, they would not have caused the extensive damage reported. Two AAA batteries could not explode with the force and scale described. More likely, explosives like PETN were embedded within the pagers and triggered by a remote signal. This would require minimal modifications to the device, as pagers already contain several components typical of explosive devices, such as a battery and a container.

It's important to note that this would not be classified as a cyberattack or hacking attack in the traditional sense, as the explosive material inside the pager would have no connection to the Internet or mobile phone networks. However, the biggest vulnerability of a pager signal was exploited; A message sent to one could potentially trigger all pagers across all service areas, causing widespread damage.

Implications for Infrastructure security not limited to cyber security.

This alleged incident underscores the importance of comprehensive cybersecurity practices and highlights potential vulnerabilities in communication networks, even those using seemingly outdated technologies like pagers. As technology continues to advance, the risk of cyber-physical attacks targeting critical infrastructure and military assets will likely increase.

This event also supports the argument that threat modelling is now a clear requirement for critical services, rather than relying on simple VAPT. Most organisations, especially in banking and financial services, have traditionally tested threats through technology and in silos. However, this approach fails to evaluate the entire threat landscape.

Security beyond VAPT

Threat modelling offers a more comprehensive approach to cybersecurity than traditional VAPT alone. By systematically identifying potential threats and vulnerabilities across an organisation's entire attack surface, threat modelling enables proactive risk mitigation strategies. Red teaming exercises further enhance security by simulating real-world attacks, uncovering blind spots that VAPT might miss.

As the IoT expands, it introduces new attack vectors that must be carefully considered in the threat modelling process. Perhaps most critically, social engineering vulnerabilities often receive insufficient attention despite being a primary vector for breaches. Human factors play a crucial role in security, yet many organisations focus solely on technical controls.

While some organisations have begun to embrace red teaming, threat modelling provides an even more comprehensive approach. Even threat hunting, which uses a reactive methodology, serves a different purpose and should be used in conjunction with proactive measures.

Urgency and conclusion

Public utility services urgently need to understand and address these evolving threats. This includes hospitals, water supply systems, electrical grids, and especially airports and public transport hubs.

A holistic approach incorporating threat modelling, red teaming, IoT security, and robust social engineering defences provides a more resilient security posture than relying on VAPT in isolation. By adopting these comprehensive strategies, organisations can better protect themselves against sophisticated attacks that may exploit unexpected vulnerabilities.

Citations:

[1] https://www.aljazeera.com/news/2024/9/17/how-did-hezbollahs-pagers-explode-in-lebanon

[2] https://apnews.com/article/lebanon-israel-hezbollah-pager-explosion-e9493409a0648b846fdcadffdb02d71e

[3] https://indianexpress.com/article/explained/explained-global/lebanon-hezbollah-pagers-9573166/lite/

[4] https://abcnews.go.com/US/wireStory/hundreds-pagers-exploded-lebanon-syria-deadly-attack-113782405

[5] https://www.vox.com/world-politics/372399/pager-explosions-lebanon-syria-hezbollah-israel-gaza

[6] https://www.cnn.com/2024/09/17/middleeast/lebanon-pager-attack-explosions-hezbollah-explainer-intl-latam/index.html

[7] https://www.washingtonpost.com/world/2024/09/17/hezbollah-pagers-batteries-explosion-israel-lebanon/

[8] https://www.wired.com/story/pager-explosion-hezbollah/