Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
MG Profile picture
@_MG_
Sep 17 24 tweets 7 min read Read on X
The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down.

🧵1/n
First, with over 1000 instances being reported, this is likely supply chain as opposed to a few modified devices. Done either during shipment and/or at the factory.
🧵2/n
2nd, the explosions are substantial. Probably a high explosive like RDX or PETN. I am guessing the explosive was integrated into the battery for physical stealth. But, unlike Israel, I don’t know if Hezbollah checks their internals for it to matter.

🧵3/n
But it’s not like you can modify the battery & be done. The explosive needs a trigger. In this video, just before explosion, you see the target looking down as if they just received a message. ~4sec later it explodes.

🧵4/n Image
That requires electronics to filter for that exact message, then trigger detonator. Could be modified firmware, but you still need to get the electrical signal to the detonator. Some level of extra wiring/components is needed. For 1000+ units, feels like a whole custom PCB
🧵5/n
If all these things were added to off the shelf pagers, it would have taken a lot of time. They’d have to produce solid clones in advance & swap a large shipment out in transit to not introduce a noticeable delay. Considering the scale, I suspect this is NOT how it was done
🧵6/n
More likely is they had cooperation/control of the actual factory building these and introduced custom internals built from the ground up.
I guess we will just have to wait. There will be plenty of info to come.
🧵7/n
Speaking of info to come: Pager networks broadcast every single message across the service area. A $10 SDR with computer can pick up every pager message near you. So someone has to know what the exact trigger message was by now. But I haven’t seen it yet.

🧵8/n
There’s lots of talk about this being done fully remotely by exploding the lithium battery in the suspected AR-924 pager.

A High Explosives expert can correct me, but this is NOT what lithium looks like 2 frames into explosion. Let alone the bodily damage happening.
🧵9/n Image
“are there devices that didn’t detonate?” is a great question & it touches on why Hezbollah was even using pagers.

Ignoring malfunctions, the 2 conditions this would occur: pager was powered off/out of battery, pager was out of signal range.

So…
🧵10/n
Sure, the first could have been mitigated in the custom build by faking power off. But let’s focus on how pager networks work.

One of the reasons Hezbollah saw pagers as “more secure” than cellphones is that they are receive only. They don’t ping the towers like phones do, making for easy location tracking.
🧵11/n
But this is why a single pager message destined for one device is broadcast across the entire coverage area. The network doesn’t know where the pager is, nor if the pager even received the message!

If the pager isn’t able to receive the message when transmitted, it’s lost.

🧵12/n
But that’s also why it’s unlikely anyone turned their pagers off intentionally. The messages aren’t queued up waiting for the pager to come up.

So most likely it’s just pagers that were out of signal range or detonation malfunctioned. So maybe we will see a teardown!
🧵13/n
To address @Laughing_Mantis other question: the fact that this SEEMs highly targeted to Hezbollah & appeared to be a commercial pager suggests the ability to control where these exact units were delivered, delivery swap, or on-site swap.
🧵14/n
@Laughing_Mantis Israel has been using high explosives inside of personal devices, especially comms devices, for over 40 years. But usually only 1 device, or a small handful.

What’s notable is the supply chain control here. Something Israel has also previously demonstrated (Stuxnet).
🧵15/n
@Laughing_Mantis More commentary on the view that these are not lithium explosions:
🧵16/n
@Laughing_Mantis I’m choosing the most likely guess for the electrical. Stuff like the below is possible, but fabbing a new PCB is cheaper (less engineering/design time).
But as with all offensive operations, you are stitching together a seemingly random set of constraints & opportunities.
🧵17/n
@Laughing_Mantis As this has gone outside of my usual network: these are informed guesses.

My experience is in:
- covert electronics. Ex: building OMG Cable (see pinned profile post)

- lithium battery safety testing & catastrophic failure

- research into prior exploding hardware

🧵18/n
@Laughing_Mantis This feels incorrect/lacking.

“overheating” a lithium battery (how?) seems like a terrible detonator for PETN, especially something like a tiny pager battery. You need a legit primary explosive for reliable detonation on thousands of devices.

Someone correct me!
🧵19/n
Reuters now has details. Aligns well with my guesses:

5000 pagers were modified "at the production level" with “a board inside that has explosive material & receives a code”

“very hard to detect it through any means. Even with any device or scanner”

Undetected for months!

🧵20/n

reuters.com/world/middle-e…Image
Looks like the pager brand Gold Apollo licensed the design to a Hungarian company. Based on their online footprint, seems like a front.
I would suspect that the front then outsourced various fab work to misc factories. Pretty much every PCB fab can make these low tech pagers. Then handle the explosives as the last step with a special shop.

🧵21/n
@Laughing_Mantis Sounds like a new wave happening today. Looks like rugged walkie talkies, suggesting the same highly targeted approach.

Triggering will be different.

# of units is currently unknown, so nothing to suggest supply chain (yet).

Hezbollah now has 0 trustable comms.

🧵22/n
Image
Image
Hours later & it’s still a mix of random devices & small numbers. Could easily be a bunch of implanted explosives without needing supply chain control, as has been done for decades. Just because one was supply chain doesn’t mean all were.

Sure has caused connected groups to stop trusting recently acquired electronics & trash them though.

🧵23/n
@Laughing_Mantis How do you even have a contingency plan for all of your electronics needing to be thrown out because they are now bombs? Have enough spare wire to build a crystal radio & wait for broadcast instructions?

🧵24/n Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with MG

MG Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_MG_

MG Profile picture
Jun 15
Lots of news stories about people getting fired for using mouse jigglers & simulated keyboard activity. There is also a LOT of misinformation.

Lets correct:
- why it’s detected
- how it’s detected
- how all commercial jigglers are detectable (even mechanical ones)

🧵1 Image
Every large company has security tools running on employee computers. It’s critical for detecting breaches of security & providing trails of evidence to understand how. Employees bypassing inactivity timeouts get caught in the net & are easy to detect IF the company WANTS.
🧵2
Employees simulate keyboard/mouse activity to keep their computers awake/“active”. Especially when corp security policy mandates screen locking after X min of activity.
There are 2 areas that overlap with security software:
1 - USB identifiers
2 - Screen lock & unlock events

🧵3
Read 16 tweets
MG Profile picture
Jun 3
I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1
First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.

Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2
Now, because a high quality C to C cable can support ALL of these protocols, people incorrectly think the protocols are the same thing.
🧵3
Image
Image
Read 22 tweets
MG Profile picture
Oct 1, 2023
Heads up, for anyone changing an iOS passcode to keep someone out.

For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!

You can manually expire them but..
🧵1/n

support.apple.com/en-us/HT213849
... but the option to expire the old passcode is not next to the "change passcode" button. So, it's easy to miss this new 72hr mechanism entirely. Not ideal...

Please fix this Apple

🧵2/n Image
At least put the UI elements next to each other so its more obvious. But also maybe consider whether an old passcode should be able to mess with iCould. Being able to do iCloud account resets, pulling device backups, etc... that feels like too much.

🧵3/n
Read 5 tweets
MG Profile picture
May 9, 2023
I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”

So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n
Then I found a local in China to help navigate the Chinese employees of the carrier. It actually worked! The package was found in one of the carrier’s facilities in China.
🧵2/n
The US employees couldn’t properly communicate with their own coworkers in China, even with an official investigation. Not even when “bribed” to do so. But an outsider could!

Corporate efficiency at its best…
🧵3/n
Read 6 tweets
MG Profile picture
Mar 22, 2023
I just did some digging into that “USB Bomb” story.

So here is a quick thread on what it looked like, the damage it did, and the pretext.

🧵1/n

bbc.com/news/world-lat…
So this looks to be one of the unexploded drives. Which indicates a modified brand name thumb drive.

Note reads:

THE INFORMATION IS GOING TO UNMASK THE CORREISMO.

THINK IT'S USEFUL, WE CAN REACH AN AGREEMENT AND I'LL SEND YOU THE SECOND PART.
🧵2/n Image
This is the scene of the exploded drive. Laptop is still functional. No visible damage to anything. Very small field of debris.

More firecracker than “military explosive” in terms of damage.
🧵3/n Image
Read 7 tweets
MG Profile picture
Feb 27, 2023
New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)

Cool to see that LastPass is sharing support.lastpass.com/help/incident-…twitter.com/i/web/status/1…
Does your Red Team get to target people’s home computers and networks? I am guessing that a great big “nope” for almost every company I know of.
Seems plausible. I wonder if we will know for sure.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(