Pagers and walkie-talkies over cellphones – a security expert explains why Hezbollah went low-tech for communications
- Written by Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore County
Electronic pagers across Lebanon exploded simultaneously on Sept. 17, 2024, killing 12 and wounding more than 2,700[1]. The following day, another wave of explosions[2] in the country came from detonating walkie-talkies. The attacks appeared to target members of the militant group Hezbollah.
The pagers attack involved explosives[3] planted in the communications devices by Israeli operatives, according to U.S. officials cited by The New York Times. Hezbollah had recently ordered a shipment of pagers, according to the report.
Secretly attacking the supply chain is not a new technique in intelligence and military operations. For example, the U.S. National Security Agency intercepted computer hardware bound for overseas customers[4], inserted malware or other surveillance tools and then repackaged them for delivery to certain foreign buyers, a 2010 NSA internal document showed. This differs from accessing a specific person’s device, such as when Israel’s Shin Bet secretly inserted explosives into a cellphone to remotely kill[5] a Hamas bombmaker in 1996.
Hezbollah, a longtime adversary of Israel, had increased its use of pagers in the wake of the Hamas attack on Israel on Oct. 7, 2023. By shifting to relatively low-tech communication devices, including pagers and walkie-talkies, Hezbollah apparently sought an advantage[6] against Israel’s well-known sophistication in tracking targets through their phones.
Cellphones: The ultimate tracker
As a former cybersecurity professional and current security researcher[8], I view cellular devices as the ultimate tracking tool for both government and commercial entities – in addition to users, criminals and the mobile phone provider itself. As a result, mobile phone tracking has contributed to the fight against terrorism[9], located missing people[10] and helped solve crimes[11].
Conversely, mobile phone tracking makes it easy for anyone to record a person’s most intimate movements. This can be done for legitimate purposes such as parents tracking children’s movements, helping you find your car in a parking lot, and commercial advertising, or nefarious ends such as remotely spying on a lover suspected of cheating or tracking political activists and journalists. Even the U.S. military remains concerned[12] with how its soldiers might be tracked by their phones.
Mobile device tracking is conducted in several ways. First, there is the network location data[13] generated by the phone as it moves past local cell towers or Stingray devices[14], which law enforcement agencies use to mimic cell towers. Then there are the features built into the phone’s operating system or enabled by downloaded apps[15] that may lead to highly detailed user tracking, which users unwittingly agree to by ignoring the software’s privacy policy or terms of service.
This collected data is sometimes sold to governments or other companies[16] for additional data mining and user profiling. And modern smartphones also have built-in Bluetooth, Wi-Fi and GPS capabilities that can help with locating and tracking user movements around the world, both from the ground and via satellites.
Mobile devices can be tracked in real time or close to it. Common technical methods include traditional radio direction-finding[17] techniques, using intelligence satellites or drones, deploying “man in the middle” tools like Stingrays to impersonate cellular towers[18] to intercept and isolate device traffic, or installing malware such as Pegasus, made by Israeli cyberarms company NSO[19] to report a device’s location.
Nontechnical and slower techniques of user tracking include potentially identifying general user locations from their internet activity[20]. This can be done from website logs or the metadata contained in content posted to social media, or contracting with data brokers to receive any collected location data from the apps that a user might install on their device.
Indeed, because of these vulnerabilities, the leader of Hezbollah earlier this year advised his members to avoid using cellular phones[21] in their activities, noting that Israel’s “surveillance devices are in your pockets. If you are looking for the Israeli agent, look at the phone in your hands and those of your wives and children.”
Researchers have shown how these features, often intended for the user’s convenience, can be used by governments, companies and criminals to track people in their daily lives and even predict movements[22]. Many people still aren’t aware of how much their mobile devices disclose about them[23].
Pagers, however, unlike mobile phones, can be harder to track depending on whether they support two-way communication.
Why go low-tech
A pager that only receives messages does not provide a signal that can facilitate tracking its owner. Therefore, Hezbollah’s use of pagers likely made it more challenging to track their operatives – thus motivating Israeli intelligence services’ purported attack on the supply chain of Hezbollah’s pagers.
Using low-tech tactics and personal couriers while avoiding the use of mobile phones and digital tools also made it difficult for the technologically superior Western intelligence agencies to locate Osama bin Laden for years after the 9/11 attacks.
In general, I believe the adversary in an asymmetric conflict[24] using low-tech techniques, tactics and technology will almost always be able to operate successfully against a more powerful and well-funded opponent.
A well-documented demonstration of this asymmetry in action was the U.S. military’s Millennium Challenge[25] war game in 2002. Among other things, the insurgent Red forces, led by Marine General Paul van Riper, used low-tech tactics including motorcycle couriers instead of cellphones to evade the Blue forces’ high-tech surveillance. In the initial run of the exercise, the Red team won the contest in 24 hours, forcing exercise planners to controversially reset and update the scenario to ensure a Blue team victory.
Lessons for everyone
The preference for terrorist organizations like Hezbollah and al-Qaida to avoid using smartphones is a reminder for everyone that you can be, and likely are being tracked in various ways and for various purposes.
Israel’s purported response to Hezbollah’s actions also holds a lesson for everyone. From a cybersecurity perspective, it shows that any device in your life can be tampered with by an adversary at points along the supply chain – long before you even receive it.
References
- ^ killing 12 and wounding more than 2,700 (www.nytimes.com)
- ^ another wave of explosions (apnews.com)
- ^ involved explosives (www.nytimes.com)
- ^ intercepted computer hardware bound for overseas customers (arstechnica.com)
- ^ remotely kill (israeled.org)
- ^ sought an advantage (www.reuters.com)
- ^ AP Photo (newsroom.ap.org)
- ^ security researcher (cybersecurity.umbc.edu)
- ^ fight against terrorism (www.nytimes.com)
- ^ located missing people (www.kcra.com)
- ^ helped solve crimes (www.nytimes.com)
- ^ U.S. military remains concerned (www.wsj.com)
- ^ network location data (www.usatoday.com)
- ^ Stingray devices (theintercept.com)
- ^ downloaded apps (internethealthreport.org)
- ^ sold to governments or other companies (www.eff.org)
- ^ radio direction-finding (apps.dtic.mil)
- ^ impersonate cellular towers (www.efani.com)
- ^ Pegasus, made by Israeli cyberarms company NSO (nsarchive.gwu.edu)
- ^ internet activity (www.privateinternetaccess.com)
- ^ avoid using cellular phones (www.israelnationalnews.com)
- ^ predict movements (www.rochester.edu)
- ^ how much their mobile devices disclose about them (www.sciencedaily.com)
- ^ asymmetric conflict (www.britannica.com)
- ^ Millennium Challenge (warontherocks.com)
Authors: Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore County