Lebanon explosions raise alarm about supply chain security, safety of tech
At least 32 people were killed when thousands of pagers and walkie-talkies detonated in attacks blamed on Israel.
By John Power
Published On 19 Sep 202419 Sep 2024
The use of pagers and walkie-talkies in back-to-back coordinated explosions in Lebanon has drawn scrutiny to the security of global supply chains and their vulnerability to tampering by governments or other actors.
The utilisation of thousands of electronic devices in the apparent attacks, which are widely believed to have been orchestrated by Israel as part of an operation targeting Lebanon’s armed group Hezbollah, has raised the spectre of everyday communications equipment being weaponised in the future.
Tech companies are likely to see the attacks as a powerful reminder of the importance of securing their supply chains, while the general public’s trust in technology may also take a hit, tech industry and supply chain analysts told Al Jazeera.
“Every company that makes or sells physical devices will be worrying about the integrity of their supply chain,” said James Grimmelmann, Tessler Family professor of digital and information law at Cornell Tech and Cornell Law School in the United States.
“They are likely to consider adding additional safeguards and verifications so that they can better detect and prevent moves like this.”
While Israel has been
implicated in assassinations using tampered communications devices before – including the 1996 killing of Hamas bombmaker Yahya Ayyash via an explosives-rigged mobile phone – the scale of the attacks, involving thousands of simultaneous detonations, was unprecedented.
At least 32 people were killed and more than 3,100 were injured in the explosions on Tuesday and Wednesday, including Hezbollah members and civilians, according to Lebanese authorities.
Erosion of public trust
Brian Patrick Green, director of technology ethics at the Markkula Center for Applied Ethics at Santa Clara University in the US, described the attacks as a potential watershed for the public’s trust in their electronic devices.
“Somehow thousands of devices were turned into weapons without anyone noticing it. How widespread are these explosive devices? How did the explosives get into the devices or the device supply chains? This attack raises terrifying questions that were never even considered before,” Green said.
Mariarosaria Taddeo, a professor of digital ethics and defence technologies at University of Oxford, said the attacks set a concerning precedent as they involved interference with the supply chain “not for a specific act of sabotage but for a distributed, highly impactful attack”.
“This scenario has been considered by experts but less so by state actors. If something good comes out of them, this is going to a public debate on control of the supply chain, strategic autonomy over digital assets, and digital sovereignty,” Taddeo said.
While it is unclear exactly how the pagers and walkie-talkies were turned into explosive devices, Lebanese and US officials have told multiple media outlets that Israeli intelligence booby-trapped the devices with explosive materials.
Israel has not commented to either confirm or deny responsibility.
Taiwanese company Gold Apollo, whose brand of pagers were used in the attacks, on Wednesday denied manufacturing the deadly devices, saying they had been made under licence by a company called BAC.
Gold Apollo’s CEO Hsu Ching-kuang told US radio NPR that BAC had paid his company through a Middle Eastern bank account that was blocked at least once by his firm’s Taiwanese bank.
BAC, which is based in Hungary’s capital Budapest, has not responded to requests for comment.
On Thursday, The New York Times, citing three unnamed intelligence officials, reported that BAC was an Israeli front set up to manufacture the explosive pagers.
Icom, a radio equipment maker based in Japan, said it had stopped producing the model of radios reportedly used in the attacks about 10 years ago.
“It was discontinued about 10 years ago, and since then, it has not been shipped from our company,” Icom said in a statement.
“The production of the batteries needed to operate the main unit has also been discontinued, and a hologram seal to distinguish counterfeit products was not attached, so it is not possible to confirm whether the product shipped from our company.”
Patrick Lin, director of Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly), said there are important questions about where in the supply chain the devices were compromised.
“Was it during the manufacturing process, or in transit, or at the system operator’s level right before the devices are assigned to individuals?” Lin said.
“If it were done during the manufacturing process, then other technology manufacturers should be more concerned, as the other ways are outside their control. If the pager manufacturer wasn’t a willing accomplice in such a scenario, then their operational security was seriously compromised.”
How will tech companies respond?
However the devices may have been tampered with, the attacks could further accelerate moves towards technology that is “homegrown within a nation’s borders for tighter control of supply-chain security, whether it’s smartphones, drones, social media apps, whatever,” Lin said.
Milad Haghani, a supply chain expert at the School of Civil and Environmental Engineering at the University of New South Wales in Australia, said he expects to see a “widespread reckoning” that will lead companies to tighten their supply chain security protocols.
“For tech companies in general, this situation is unprecedented in its scale, and many likely haven’t taken the security of their production processes as seriously before,” Haghani said.
“Many companies may not have been fully equipped to handle such threats,” he said, adding that the explosions in Lebanon will lead to a significant ramp-up in security efforts within organisations.
Smartphone giants such as Apple, Samsung, Huawei, Xiomi and LG are viewed as less vulnerable to being compromised than smaller companies, analysts said, citing reasons including their greater attention to security, the relatively targeted nature of the operation against Hezbollah, and the more limited space in their devices in which to place substances such as explosives.
“There will be curiosity but their production and delivery chains are completely different to small-scale companies, including vendors of counterfeit transceivers. So at least now there’s no reason to consider that they may be affected,” said Lukasz Olejnik, a visiting senior research fellow of the Department of War Studies of King’s College London.
“However, the big companies may be inclined to highlight the differences in their ways of doing things.”
Others expressed less confidence that Big Tech is immune from such concerns, pointing to the fact that companies rely on smaller suppliers that may make for easier targets or that they have cooperated with governments to target individuals in less deadly ways, most notably to spy on their communications.
Full read:
https://www.aljazeera.com/economy/2...alarm-about-supply-chain-security-tech-safety
