Targeted attacks involving modified devices, such as pagers or cellphones turned into explosive devices, are one of the most ingenious techniques used in intelligence operations. These devices not only attract the attention of victims with sound or vibration, but also use outdated technology that is extremely difficult to intercept. This makes these tools particularly attractive to organizations like Hezbollah, which use pagers to communicate securely and reliably, reducing the risk of being tracked by intelligence agencies.
Hezbollah, for example, uses pagers primarily for security purposes. Unlike modern smartphones, which emit constant signals and have built-in GPS functions, pagers are one-way devices that receive messages without constantly transmitting the user's location. This makes it much more difficult for authorities or intelligence agencies, such as Israel's Mossad, to track the exact location of their users.
Pagers, being technologically simple, are not integrated into global cellular networks or the Internet, thus limiting the type of cyber attacks that could be carried out against more advanced devices. Furthermore, they rely on radio signals, which makes them particularly reliable in areas with poor mobile coverage or in situations where cellular networks have been disrupted, such as in conflict zones or during security operations.
The device used for the attack is the pager AP900 which works on UHF (400-470 MHz) and VHF (100-174 MHz) frequencies.
The modulation used to activate these devices is the Frequency shift keying, FSK is a frequency modulation scheme in which digital information is encoded onto a carrier signal by periodically shifting the carrier frequency between different frequencies. The frequency shift of ±4,5 kHz is used in conjunction with a channel spacing of 25 kHz, known as "wideband".
The transmission system uses Codewords 32 bits, of which 21 bits are dedicated to information (bits 31-11), 10 bits to error correction (bits 10-1), and a parity bit (bit 0). These Codewords are based on a binary BCH code (31, 21), which offers a Hamming distance of 6 bits. This distance allows to detect and correct up to 2 errors per Codewords, increasing the reliability of the transmission system.
Le Codewords can be of two types: address or data, the Codewords of address They contain 18 address bits (bits 30-13) and 2 function bits (bits 12-11), while the Codewords of data: They carry 20 bits of data (bits 30-11).
Each transmission batch begins with a synchronization word (0x7CD215D8), followed by 16 Codewords which can be addresses or data. The Codewords unused within a batch are filled with an inactive value of 0x7A89C197.
Although the transmitted address is 18 bits, the actual address used by the receiver is 21 bits. The 3 missing bits are derived from the position of the pair of Codewords within the batch. This technique allows the device to save energy for a good part of the time and to wake up only when the torque is transmitted Codewords which identifies it, thus optimising energy consumption.
For this reason my belief is that the attack was propagated through the propagation of radio signals in the affected area via drones and/or naval vessels, signals that activated all the device which had evidently been reprogrammed using a second mass identifier address that covered the entire series of device marketed in the area.
Another peculiarity of the attack is the technique used to trigger the target's attention. As documented by the videos that appeared online, the devices involved initially emitted signals, such as a sound or a vibration, which induced the victims to interact with the device. Once the display lights up, the subject tends to touch or examine the device, unknowingly activating the detonation sequence. A few seconds after the interaction, the explosion occurs, leading to death or serious injuries.
This activation mode, which may seem specifically designed to lure the victim, indicates a surgical precision in the intention to maximize the damage. The goal, in fact, is to cause direct damage to the person using it, often aiming for the face or head.
At the time of writing this analysis, 18 victims and over 4000 wounded have been confirmed, demonstrating that the operation to tamper with the equipment involved an entire production that could have been replaced shortly before delivery. A further consideration, given the high number of wounded, is that the planning of the operation started from the analysis of Hezbollah's communications and then moved on to the mass production of these devices.
It is conceivable that the operation unknowingly involved the manufacturer who received a double order, one from the Hezbollah network and the other from a trader who unknowingly acted for the Israeli intelligence agency. Upon arrival of the container in Lebanon, the equipment could have been replaced with modified ones.
This is not the first time that Israeli intelligence has used modified devices to strike its adversaries., for example in the case of Yahya Ayyash, a well-known Hamas leader, nicknamed "the engineer", for his skills in building explosive devices, a modified mobile phone with explosives hidden inside was used. In 1995, some Israeli secret service agents came into contact with a relative of a prominent member of a Palestinian armed organization, convincing him to collaborate. In exchange, the relative asked for money and documents for him and his wife, but the Israeli authorities forced him to choose, threatening to reveal his attempt to contact enemy forces.
The employee received a cell phone, convincing him that it was a tool to monitor his family member's communications. In reality, a hidden charge of 15 grams of RDX. Shortly thereafter, on a January morning in 1996, during a conversation intercepted by Israeli agents, the command decided to activate the device remotely, calling the cell phone and, once they had obtained direct confirmation of the identity of the interlocutor, pressing the command that made the cell phone explode at head height.
What is certain is that Hezbollah is currently reviewing its entire internal communications system following this operation. Command and Control Disruption a war strategy aimed at neutralizing an enemy's ability to coordinate, direct, and manage its military forces.
These types of operations aim to disrupt communication and decision-making, leaving opposing forces isolated, disorganized, and unable to respond effectively to attacks. The primary goal of disrupting command and control centers is to prevent communication between military leaders and troops on the ground, rendering the enemy's ability to coordinate maneuvers and responses ineffective, as well as isolating military units on the ground, preventing mutual support, and increasing operational confusion.
Deprive the enemy of the ability to make strategic decisions by disrupting the flow of key information and tactical planning, It could be the prelude to an Israeli ground operation in Lebanese territory.
* vice president of the Italian Subsidiary Security Association, head of the CyberSecurity department
Images: web