Beepers and walkie-talkies via mobile phones

Electronic pagers across Lebanon exploded simultaneously on September 17, 2024, killing 12 and wounding more than 2,700. The following day, another wave of explosions struck the country, caused by the detonation of walkie-talkies. The attacks appeared to target members of the militant group Hezbollah.

The pager attack involved explosives planted in communications equipment by Israeli agents, U.S. officials cited by The New York Times said. Hezbollah had recently ordered a shipment of pagers, the report said.

Covertly attacking the supply chain is not a new technique in intelligence and military operations. For example, the U.S. National Security Agency has intercepted computer hardware destined for foreign customers, implanted malware or other surveillance tools in it, and then repackaged it for delivery to specific foreign buyers, an internal NSA document from 2010 showed. This is different from gaining access to a specific person’s device, as when Israel’s Shin Bet covertly planted explosives in a cellphone to remotely kill a Hamas bombmaker in 1996.

Hezbollah, a longtime adversary of Israel, has increasingly used pagers since the Hamas attack on Israel on October 7, 2023. By switching to relatively low-tech communications equipment such as pagers and walkie-talkies, Hezbollah apparently wanted to gain an advantage over Israel’s well-known sophistication in tracking targets via its phones.

Mobile phones: the ultimate tracker

As a former cybersecurity professional and current security researcher, I see mobile devices as the ultimate tracking tool for both government and commercial entities, in addition to users, criminals, and the mobile phone carrier itself. As a result, mobile phone tracking has contributed to the fight against terrorism, located missing people, and helped solve crimes.

Conversely, cell phone tracking makes it easy for anyone to record a person’s most intimate movements. This can be done for legitimate purposes, such as parents tracking the movements of children, helping you find your car in a parking lot, and commercial advertising, or for darker purposes, such as remotely spying on a suspected lover or following political activists and journalists. Even the U.S. military remains concerned about how its soldiers could be tracked through their phones.

Mobile device tracking is accomplished in a number of ways. First, there is the network location data generated by the phone as it moves past local cell towers or Stingray devices, which law enforcement agencies use to mimic cell towers. Then there are features built into the phone’s operating system or enabled by downloaded apps that can lead to very detailed user tracking, which users unknowingly consent to by ignoring the software’s privacy policy or terms of service.

This collected data is sometimes sold to governments or other companies for additional data mining and user profiling. And modern smartphones also have built-in Bluetooth, Wi-Fi, and GPS capabilities that can help locate and track user movements around the world, both from the ground and via satellites.

Mobile devices can be tracked in real or near real time. Common technical methods include traditional radio direction finding techniques, using intelligence satellites or drones, deploying “man in the middle” tools such as Stingrays to impersonate cell towers to intercept and isolate device traffic, or installing malware such as Pegasus, created by Israeli cyberweapons company NSO, to report a device’s location.

Non-technical and slower techniques of user tracking may involve identifying general user locations based on their internet activity. This can be done through website logs or the metadata in content posted on social media, or by contracting with data brokers to receive aggregated location data from the apps a user may install on their device.

Because of these vulnerabilities, Hezbollah’s leader earlier this year advised his members not to use cell phones in their operations, noting that Israel’s “surveillance devices are in your pockets. If you’re looking for the Israeli agent, look at the phone in your hands and those of your wives and children.”

Researchers have shown how these features, often intended for the convenience of the user, can be used by governments, corporations and criminals to track people in their daily lives and even predict their movements. Many people are still unaware of how much their mobile devices reveal about them.

Unlike cell phones, pagers can be more difficult to track depending on whether they support two-way communication.

Why low-tech?

A pager that only receives messages does not emit a signal that could facilitate the tracing of its owner. Therefore, Hezbollah’s use of pagers likely made it more difficult to trace its operatives – which motivated the alleged Israeli intelligence attack on Hezbollah’s pager supply chain.

By using low-tech tactics and personal couriers, and avoiding cell phones and digital tools, the technologically superior Western intelligence services struggled to locate Osama bin Laden for years after the September 11 attacks.

In general, I believe that in an asymmetric conflict, the adversary will almost always be able to operate successfully against a stronger and better-financed adversary using low-tech techniques, tactics and technology.

A well-documented demonstration of this asymmetry in action was the U.S. Army’s 2002 Millennium Challenge war game. Among other things, the insurgent Red forces, led by Marine General Paul Van Riper, used low-tech tactics, including motorcycle messengers instead of cell phones, to evade the Blue forces’ high-tech surveillance. In the first run of the exercise, the Red team won the competition in 24 hours, forcing the exercise planners to controversially reset and update the scenario to ensure a Blue team victory.

Lessons for everyone

The fact that terrorist organizations like Hezbollah and al-Qaeda prefer not to use smartphones reminds everyone that you can be tracked in all kinds of ways and for all kinds of purposes, and that there is a good chance that you are actually being tracked.

Israel’s alleged response to Hezbollah’s actions also holds a lesson for everyone. From a cybersecurity perspective, it shows that every device in your life can be manipulated by an adversary at points along its supply chain – long before you even receive it.

Richard Forno, associate professor of computer science and electrical engineering, University of Maryland, Baltimore County

This article is republished from The Conversation under a Creative Commons license. Read the original article.