The Israelis have yet to formally acknowledge the attacks, but there is certainly tradecraft precedent.
A terrorist nicknamed “The Engineer” was assassinated in 1996 with a cell phone that detonated, killing him instantly with a small explosive-shaped charge.
The skill to clandestinely infiltrate Hezbollah’s supply chains is just one aspect of the attacks, with a second aspect no less impressive: the actual engineering behind the exploding pager/radio design and likely forensic quality cleaning of the devices to bypass Hezbollah efforts to scan and detect such devices. I’ll explain each in turn.
Attacking the Supply Chain
Hezbollah is reported to have sought to use digital pagers because of concerns regarding the security of cellular telephones used by the group and to avoid being tracked by Israeli security forces in a manner to which cell phones are particularly vulnerable. Whether it is members of the British royal family or targets of criminal investigation, the techniques to target cell phones are well established and do not require state-level sophistication. When it comes to state techniques used to compromise cell phones, however, the skill level ramps up considerably, which is why even devices that seem to be powered completely down – turned off, if you will – are suspect and cannot be used in classified environments, because they are known to be too vulnerable.
While remnants of the pagers appear to have been the alphanumeric model AR-924 pager manufactured by the Taiwanese company named Gold Apollo Company, LLC, a company spokesperson denied manufacturing the pagers in question, pointing instead to a Gold Apollo licensed company operating out of Hungary named BAC Consulting, whom the spokesperson stated “entirely handled” manufacturing the actual pagers suspected of being used in the attack. For their part, a Hungarian government source told CNN that BAC was only a “trading intermediary,” and they did no actual manufacturing of pagers.
The remains of one of the detonated pagers.
As a terrorist organization, Hezbollah was not simply going to place a bulk order of pagers and portable radios to be drop shipped in care of Hassan Nasrallah, who at the time of the attacks was both alive and the group’s secretary-general. Clearly, the perpetrators of the device attacks had both placement and access, putting them inside Hezbollah’s acquisition efforts. Because a number of the devices survived, and due to statements made by Hezbollah officials, the alleged vendor of the pagers is known, although according to a recent CBS Evening News story, the CEO of BAC Consulting is in hiding under the protection of the Hungarian secret services. It is certainly possible the manufacturer and named distributor were completely disconnected from Israeli efforts, and did not cooperate with the Mossad, but simply believed they were delivering the devices to a legitimate distributor. Obviously, Hezbollah will be very interested in determining how their supply chain was compromised to avoid further attacks, and while some of this will likely reach the public domain, other aspects will remain hidden from view.
The Mystery of Exploding Electronics
More fascinating to me than the infiltration of Hezbollah logistics networks is the design engineering behind the exploding pagers. While I am not ignoring the handheld radios, which exploded the following day, their larger size affords easier concealability of an explosive payload. Based on the limitation of their physical size and some clues evident in photos and videos shown by Hezbollah in the aftermath of the attacks, there are some obvious items I would assess as being highly likely. Clearly, a high explosive was used, which is obvious given the injuries and physical blast damage. With few exceptions, high explosives require detonators to function. Yes, it is true that common terrorist explosives such as triacetone triperoxide (TATP) do not, but they are unbelievably sensitive to rough handling and degrade rapidly compared to more common high explosives such as pentaerythritol tetranitrate (PETN) and cyclonite (RDX).
The Israelis have yet to formally acknowledge the attacks, but there is certainly tradecraft precedent.
A terrorist nicknamed “The Engineer” was assassinated in 1996 with a cell phone that detonated, killing him instantly with a small explosive-shaped charge.
The skill to clandestinely infiltrate Hezbollah’s supply chains is just one aspect of the attacks, with a second aspect no less impressive: the actual engineering behind the exploding pager/radio design and likely forensic quality cleaning of the devices to bypass Hezbollah efforts to scan and detect such devices. I’ll explain each in turn.
Attacking the Supply Chain
Hezbollah is reported to have sought to use digital pagers because of concerns regarding the security of cellular telephones used by the group and to avoid being tracked by Israeli security forces in a manner to which cell phones are particularly vulnerable. Whether it is members of the British royal family or targets of criminal investigation, the techniques to target cell phones are well established and do not require state-level sophistication. When it comes to state techniques used to compromise cell phones, however, the skill level ramps up considerably, which is why even devices that seem to be powered completely down – turned off, if you will – are suspect and cannot be used in classified environments, because they are known to be too vulnerable.
While remnants of the pagers appear to have been the alphanumeric model AR-924 pager manufactured by the Taiwanese company named Gold Apollo Company, LLC, a company spokesperson denied manufacturing the pagers in question, pointing instead to a Gold Apollo licensed company operating out of Hungary named BAC Consulting, whom the spokesperson stated “entirely handled” manufacturing the actual pagers suspected of being used in the attack. For their part, a Hungarian government source told CNN that BAC was only a “trading intermediary,” and they did no actual manufacturing of pagers.
The remains of one of the detonated pagers.
As a terrorist organization, Hezbollah was not simply going to place a bulk order of pagers and portable radios to be drop shipped in care of Hassan Nasrallah, who at the time of the attacks was both alive and the group’s secretary-general. Clearly, the perpetrators of the device attacks had both placement and access, putting them inside Hezbollah’s acquisition efforts. Because a number of the devices survived, and due to statements made by Hezbollah officials, the alleged vendor of the pagers is known, although according to a recent CBS Evening News story, the CEO of BAC Consulting is in hiding under the protection of the Hungarian secret services. It is certainly possible the manufacturer and named distributor were completely disconnected from Israeli efforts, and did not cooperate with the Mossad, but simply believed they were delivering the devices to a legitimate distributor. Obviously, Hezbollah will be very interested in determining how their supply chain was compromised to avoid further attacks, and while some of this will likely reach the public domain, other aspects will remain hidden from view.
The Mystery of Exploding Electronics
More fascinating to me than the infiltration of Hezbollah logistics networks is the design engineering behind the exploding pagers. While I am not ignoring the handheld radios, which exploded the following day, their larger size affords easier concealability of an explosive payload. Based on the limitation of their physical size and some clues evident in photos and videos shown by Hezbollah in the aftermath of the attacks, there are some obvious items I would assess as being highly likely. Clearly, a high explosive was used, which is obvious given the injuries and physical blast damage. With few exceptions, high explosives require detonators to function. Yes, it is true that common terrorist explosives such as triacetone triperoxide (TATP) do not, but they are unbelievably sensitive to rough handling and degrade rapidly compared to more common high explosives such as pentaerythritol tetranitrate (PETN) and cyclonite (RDX).
I cannot imagine a design using TATP in such a small package because the devices could well have malfunctioned prematurely if tossed on a table, dropped on the floor, etc. Similarly, the small amount of space available inside a pager demands the use of an explosive with a high velocity of detonation, and relative effectiveness factor (R.E. factor) either close to or greater than TNT. This is also sometimes called TNT equivalence, and although a bit of an oversimplification, it is difficult to precisely calculate with any level of exactitude.
At the risk of sounding like an explosives geek, PETN has a claimed approximate R.E. factor of 1.6, compared to TNTs R.E. factor of 1.0, so you get more relative “bang” from a similarly sized payload of PETN, versus TNT.
If I haven’t lost you yet, another issue concerns something called critical diameter, which in lay terms simply means what physical amount of high explosives you need in order for it to sustain a detonation wave. If you don’t use enough explosives, the detonation will stop before all the explosives are consumed, which is inefficient. With little space to spare for explosives inside a pager in the first place, this would not yield the results you want.
One way to work around charge diameter is to house your explosives in a highly engineered fashion so the blast wave will move smartly downrange as designed. A great example of explosives requiring very small diameters to function is detonating cord, which is designed to efficiently transfer explosive power against a target such as a door (think breaching), into an explosive (think C4), or to connect a sequence of explosive charges. Detonating cord is rated by the number of grains of explosive material in a given length (a unit of measurement common in the blasting world), so it is easy to calculate: for example, the quantity of an explosive like PETN in one foot of detonating cord. Thus, 50 grain PETN detonating cord (a common size) contains a bit over 3 grams of PETN explosive.
Others have opined some form of liquid PETN might have been sprayed on the batteries, causing them to become an explosive. Notwithstanding PETN is not a liquid explosive, charge diameter makes this impossible, as a multi-micron level coating of high explosive is not going to sustain a detonation wave. However, going back to very old technology, think about how dynamite came to be from Alfred Nobel, the Swedish scientist who patented it and many other explosives (to include blasting caps/detonators). Pouring nitroglycerine into an absorbent inert material (diatomaceous earth or sawdust) does allow for a “stick” or cartridge of dynamite to become an explosive that will sustain a detonation quite well.
Imagine a smaller-sized cartridge (like a battery pack) has been engineered so a portion of the pack is replaced with PETN and a detonator inserted inside. The outer casing of the battery pack would likely obscure the contents from some x-rays, useful to hide a detonator. There is precedence for this: A 2006 al Qaeda plot to attack United Kingdom originated aircraft with liquid explosives (the origin of the Transportation Security Administration’s 3-1-1 rule) was designed with detonators hidden inside AA sized batteries. According to Lebanese sources who examined the remains of the exploded pagers and conducted controlled detonation of pagers switched off at the time the active pagers exploded, the devices used a lithium ion battery pack, and not removable AA batteries.
How much explosive could an AA sized battery pack hold? Certainly, in the range of several grams, particularly if the pack was designed to still function reliably, even given the likely reduced charge capacity of an adulterated battery pack containing explosives. Given a relatively brief period between delivery of the devices, their distribution throughout the Hezbollah network, and activation, limited battery life might not be detected or could be passed off as a poor-quality battery pack.
A printed PETN wafer containing several grams of explosive material, covering roughly the interior dimensions of a pager would certainly match the damage visible as a rectangular hole shown on broadcast CBS footage of the attacks. If the board was skillfully engineered, it could appear to be a legitimate internal portion of the pager, needing only a miniaturized detonator to set it off, perhaps disguised so as to appear as an electrolytic (think about a small tube) capacitor.
Based on the size of the available pager container, charge diameter restrictions, and explosives engineering, I think one of the methods above, most likely an adulterated battery pack or 3D-printed explosive, was the culprit.
The world now knows explosives can very effectively be hidden inside pagers and handheld radios. Not only have large chunks of these electronics survived, but it is known that not all of them detonated. In fact, Lebanese officials described doing controlled detonations of recovered devices that were switched off at the time of the explosions, and Hezbollah has stated they are in possession of devices that did not function as designed. Even with a 99% success rate, which would be extraordinary, this means a great many are available for forensic exploitation by Hezbollah and, by extension, Iran. The same technology that was used against Hezbollah terrorists could well be turned against civil aviation. Allow me to explain.
According to a Times of Israel article, Hezbollah is known to have screened their electronic devices, to include sending members into airports to see if standard checkpoint screening technology would detect anything in the devices and trigger alarms. While this claim remains unproven in open-source material, it is consistent with Hezbollah tradecraft. Additionally, had an explosive-filled pager been detected at an international airport, it would have been immediate global news. Unfortunately, this means the technology used to adulterate the pagers with explosives was probably not detectable by current screening devices, likely through a combination of design and forensically cleaning the devices so they could not be discovered through common explosives trace detection technology.
Now, before people run screaming for the exits that a grave vulnerability exists, my observations and background are certainly not unique in the aviation counter-IED detection world. The men and women who study and attack this problem set (and I used to be one of them) are dedicated and skilled professionals, and it is reasonable to believe the U.S. and/or partner nations have obtained one of the pagers, studied it, and have made or are making appropriate changes to screening algorithms and standard operating procedures used in current screening technology. This process of adaptation is not unique, and I am personally aware of threats that caused similar concern and countermeasure activity in the aviation screening world.
Conclusion
The motto of the British Special Air Service is “Who Dares Wins,” and it appears that the Israelis, with a daring plan, struck at Hezbollah in a highly effective way, outright eliminating but certainly also maiming a significant number of Hezbollah players. While this is unlikely to be militarily decisive and may yet provoke a widened Middle East war between Israel and Hezbollah, this innovative attack will clearly have other adversaries thinking about their own technical vulnerabilities. Whether it will also have the unintended consequences of creating a new vector to attack civil aviation remains to be seen, and while aviation security professionals are up to the challenge, we are foolish if we do not at least plan for that eventuality.
