Schneier on Security

Clive Robinson • September 17, 2024 5:53 PM

@ Folks,

The pager system is a simple broadcast system in the VHF or UHF band and it has no security in general.

That means anyone who knows the base station broadcast frequency and a pager group or individual ID can listen into broadcasts or send out a message to any or all of them.

You can look up the “Post Office Code Standardization Advisory Group”(POCSAG) standards quite easily and confirm this. Or you can follow somebody elses experiments,

https://www.rfcandy.biz/communication/pocsag.html

As I’ve mentioned on this blog in the past the “pager in your pocket” is a receiver only thus not designed to be trackable at any range[1] unlike mobile phones or most other modern communications devices.

The important point to note is that as there is no security, then “the broadcast” may not come from any “network transmitter”. In fact you can create your own POCSAG transmitter with very easily available parts for “pocket change” and you will find web pages of Ham/Amateur Radio Operators telling you exactly how to do this.

The range of the transmitter has little to do with it’s radiated power, what counts is the “radio horizon” as I’ve mentioned before a hand held radio pushing out less than 1watt can easily be heard not just in “low earth orbit” but at the hight of the ISS. In terestrial terms a transmitter at 300m above the terain, suspended under a cheap DJI type drone would reach out to give a 60kM radius coverage area.

So anyone with a little knowledge could have set up a system to send out the signal that caused the pagers to do what they did.

[1] Nearly all receivers work on the heterodyne principle, thus contain an EM oscillator at a known “offset frequency” from the broadcast frequency. These tend to have standard offsets at the “Intermediary frequency” that last century would have been around 10.7MHz or 455kHz. These oscillators do leak back through the mixer circuit and radiate from inexpensive receivers. During WWII the German Radio Service used this to quickly triangulate and track down SOE and similar radio operators in what we would now call a “Find, Fix, and Finish”(FFF) operation. I’ll leave it to peoples imagination as to what the final F stood for, or you can look it up.

Clive Robinson • September 18, 2024 5:19 PM

@ Bruce, ALL,

Re : How many wires / contacts on a battery.

Back when rechargeable batteries in portable electronics were 1.2V NiCads in the same format as the “standard cells” of AAA, AA, through D and those ~9V PP3 etc they only had two wires / contacts and had really short lives both in self discharge, number of recharge cycles as well as low energy density.

Back in the late 1980’s other battery chemistries started comming along. Early lithium batteries were known to be significant fire hazards. Not just because they could discharge in the “high amp” range but also when being charged at the wrong temperature and other specifics.

This necessitated “Battery Management Systems”(BMSs) with an additional wire per cell.

BMSs are complex circuits made possible by “grain of rice” sized components including surface mount micro controllers with “Flash Storage”. You may remember the stories of the likes of Apple using such systems to “up the after sales margins” as you covered it on this blog some years back.

Well now batteries come with three or more wires / connections, one or two of which in some cases are a serial data bus not unlike I2C or even “Controller Area Network serial communication bus”(CAN-bus).

So visual inspection of a battery will show the two “power wires” and one or more others for the active / intelligent BMS…

Now consider to keep manufacturing expense down round cells or even pouches have a higher content to lower weight / material use case. Which means when you put them in a “consumer” battery there is a lot of volumetric space. In “rugged” systems this is filled with the likes of beeswax equivalent, foam, or hardened plastic. All of which have “filler” of some type blended in.

Thus the question “what is the filler or other materials?

Anyone who has done “demolition” training whilst wearing the green knows that “explosive” can not only be “shaped” it can be moulded and coated even some types with “thermosetting plastics” of the sort used in injection moulding.

But there is a catch with all batteries and explosives, as a general rule the higher the energy density the lower their stability, thus the much increased risk.

As has been mentioned there are very high energy density explosives that do not contain nitrates so do not show up on “Chemical Agent Monitoring”(CAM) scanners (that are exorbantly expensive not just to obtain but use). Such high energy density explosives are highly unstable and will go “high order” on filter paper when drying, some even go that way with the least shock or even sunlight…

But research has come up with even higher energy density. Put simply the energy is stored in the bonds between the atoms in the molecules. Back in the 1980’s and 90’s people were researching “stressed bonding” where such distorted chemical bonds could store a lot more energy thus have a much higher “punch” and much more rapid energy release thus more effective shockwave. As far as I’m aware none had reached the stage where they were not considered “Devil Dust” that would claim your soul more easily than a meer snap of the fingers as they were highly highly unstable.

However as you’ve noted in the past “attacks get better with time” and it’s been three decades since I last had a professional interest in such things…

Clive Robinson • September 18, 2024 6:25 PM

@ ALL,

The apparent use of Japanese manufacture Icom two way radios concerns me rather more than pagers.

As some have noted pagers are an old but useful technology. But… They have little or no residual value or worth, so they are unlikely to get passed on to others outside of the Lebanon’s administrative boarders or even outside their government / civil service.

However Icom two way radios have very high residual or second hand value.

Just one could be sold and get upto $500 resale price depending on which model.

Icom make two way radios to cover,

1, All “Private Mobile Radio”(PMR) bands used by all private security and even waitresses in pubs, clubs and eateries.

2, The VHF “air-band” used from para-gliders through to full size international airport staff.

3, VHF marine band equipment, used on just about every size of vessel from canoes up through the largest of oil tankers, platforms etc.

4, Ham / Amateur Radio for all the VHF and UHF bands and what some consider “low microwave”.

5, Guard Labour systems for Police and Military that has certain “communications security” aspects (as discussed in the past on this blog as ETSI backdoored it).

And more specialised uses.

Putting a bomb in those hand held radios is almost guaranteed to get them “circulating” in the hands of ordinary citizens in many countries including the West such as North America and Europe. As well as second and third world NGO’s etc.

In short the implanting is the hight of stupidity beyond any rational or civilised mind.

Even if never actively triggered all bombs are “unstable with time” and although they don’t have a predictable half life they do break down with time at a rate often depending on the environment. The only real question is how they break down…

Remember “blasting oil” was not safe untill “Dynamite” temporarily tamed it with clay. But dynamite “sweats” not just with temperature but other stressors including time. Thus the blasting oil comes out and is highly unstable again, and can easily act as a vibration sensitive detonator to the dynamite it is on plus any other “sticks” in close enough proximity.

Oh and just for fun, look up Victorian “Exploding Billiard Balls” it happens due to instability in nitro cellulose which over time becomes increasingly explosive…

https://www.smithsonianmag.com/smart-news/once-upon-time-exploding-billiard-balls-were-everyday-thing-180962751/

Just remember it was also used for piano keys as well, so a grand crescendo on a historic instrument could have a more explosive finish than either the pianist or audience expect…

Clive Robinson • September 19, 2024 1:13 PM

@ Bruce, ALL,

Based on the limited information I have via MSM photos, all the equipment was designed a decade or so ago and importantly to use “standard” AA etc dry/alkaline cells, not Lithium cells.

That is the explosives were packaged in the devices not in the disposable batteries.

Further it is likely the funding for these devices came to Israel from the US. Thus we might expect some rather more “blunt talking” from US diplomats.

But importantly the use of booby-traped civilian objects in civilian areas is strictly prohibited, including objects most likely to be used for civil emergency personnel like doctors, medics, and other “First Responders” is contrary to international legislation the US and other Western states have been signatories to.

“Protocol on Prohibitions or Restrictions on the Use of Mines, Booby-Traps and
Other Devices as amended on 3 May 1996 (Protocol II to the 1980 Convention as
amended on 3 May 1996)
“

https://www.un.org/en/genocideprevention/documents/atrocity-crimes/Doc.40_CCW%20P-II%20as%20amended.pdf

See,

“Article 7 – Prohibitions on the use of booby-traps and other devices”

Subsections 1(a-e), 2 and 3.

All of which are about defining intentional genocide and related crimes against civilian populations.

There is also other international legislation that makes this a fist step “war crime”.

Clive Robinson • September 20, 2024 12:46 AM

@ JohKnowsNothing, Tatütata, and other usuall suspects,

With regards,

“In addition to the pagers, walkie-talkie devices are going off too.”

Whilst both a pager and a walkie-talkie are “receivers” thus can be signaled to.

1, Pagers generally only receive a single frequency or channel, and that is at all times.

2, Walkie-talkies on the other hand are more often than not multi-frequency in design having many frequencies or channels.

For instance the dirt cheap Baofeng UV5r systems that cover 136-174 MHz in the VHF bands and 400-520 MHz in the UHF bands with Frequency / Channel step sizes being 2.5-50kHz with around a 6kHz usable bandwidth. Give you over 20,000 channels any one of which might be used today or in this hour only.

Whilst the old Icoms have way less channels as an attacker you still do not know what channel is actively in use and by whom at any time of the day.

Thus sending a detonate command to pagers is relatively trivial as it’s on a single fixed channel. You can do it with an inexpensive drone a striped down UV5R and a “gum-stick” “Single Board Computer”(SBC) like a Raspberry Pi Zero W etc.

You simply set the TX channel to the standard frequency of the pager, load up one of many Open Source POCSAG programs to repeatedly loop the required FSK data through the UV5R TX audio. Then fly the drone up as high as it can go for just a few minutes at most, and “job done”.

Sending a detonate command to a group of walkie-talkie is a lot more involved however.

Firstly because analogue walkie-talkies unlike pagers generally do not have an “Over The Air”(OTA) digital interface you can send the detonate command to. This means you have to “build it in” to the walkie-talkie hardware and software.

Untill very recently most Walkie-talkies were in effect “Mask Programmed” not “Flash” (this is a new feature on HT’s like the new Quansgeng UV K5). So they could not be “up-graded”, however due to the popularity of Icom HT’s they have a high resale value and that has encouraged “China Knock-Off” fakes to be manufactured in China in large quantities and flash microcontrollers are now less expensive. So getting “the boards” un-programmed or with “added features” would be fairly easy these days and inexpensive if you were doing a reasonable production run of say 1,000 units. Getting the “hardware changes” to get RX audio into a data level for an input pin on the microcontroller chip would be a little harder but possibly not much. It actually might just need a single wire soldered on the PCB or couple of surface mount components “dead bugged, and hot glued down”.

The real problem is how good is the targets OpSec. If it’s fairly bad, or non existent as you might expect with an EmCom setup for “first responders” and other “civil authorities” then simple “scanning” days or weeks in advance will tell you all you need to know. But if your target is a little more switched on with their OpSec procedures you might not get any clue as to what channel frequency the targets walkie-talkie is on.

Clive Robinson • September 25, 2024 3:58 AM

@ Bill Spurlin,

Re : Timers and battery packs

You say,

“No compromise needed of the target’s pager transmitters.”

As I indicated originally this was never an issue, and I guess you’ve not looked up how the pagers work at the “Over The Air”(OTA) interface.

A pager is a very-low power device originally designed back in the 1970’s and 1980’s to last a week or so running on a single dry cell using just transistors. As such they had a single channel usually VHF (upto around 160MHz) and just beeped when a simple signal came in. There was no security and any signal transmitted on the receiver frequency was considered valid by the pager.

Finding the receiver frequency just required a pager an oscilloscope or even just a volt meter and an RF signal generator. You open the pager up (yup they were easy to open for “repair”) then hookup the oscilloscope or volt meter to an appropriate point and then slowly sweep the signal generator untill it reaches the receiver frequency. This is indicated by either “detector output” on the scope, or increase in battery current shown on the voltmeter across a resistor etc.

Confirming this was done by using the sig generator effectively as a jammer. For my sins this is something I was doing with “borrowed” / stolen pagers back in the 1980’s as part of industrial espionage. A marks pager would get borrowed, enumerated, and returned in short order and they might not even realise it had gone missing.

The reason this could be done so easily was because there were no “chips” or “microcontrollers” at the time.

In the UK most people with nationwide pagers got used to the pagers going off twice or sometimes three times for a single page. The reason was the transmitters were arranged in what today we would consider a “cell structure” that was time multiplexed. So depending on where you were your pager might here two or more transmitters.

Even though the standard got augmented with technological improvements in time the “very-low power” device requirement remained the priority, and security did not.

Thus any transmitter on the pagers frequency that contained validy formatted signals would cause the pager to respond at some level.

If you are “shipping the pagers” you are probably the one “setting the receive frequency” so don’t even need to enumerate.

Which brings us to your next point,

“No need by the attacker to fly drones or create other custom transmitters.”

If the attackers are using the OTA interface and they very probably are, as I noted above they do not need very much transmitter power, heck 1watt at VHF is enough to be easily heard in “Low Earth Orbit”[1]. The real issue is coverage area or “radio horizon”. As I’ve pointed out before a drone as low as 300m will get you a coverage area large enough for a North West European nation or four.

But your hypothesis of,

“Batteries containing explosives and a timer; from the attacker’s standpoint a timer based event is much simpler and more secure”

Does not hold up, due to various factors.

The first is “battery chemistry” and “self discharge”. Rechargable batteries have a very bad self discharge rate, in some cases measured by as little as a couple of weeks. As a rough rule of thumb the more energy density you try to squeeze out of a particular battery chemistry the greater the self discharge rate.

So adding a timer in the supply chain will not work, for that reason alone.

But secondly for the attack to be successful the “future time” to have them explode is such an unknown there is no way you would consider it for this sort of operation as you completely loose control thus invite failure if not disaster from the get go[2].

But from the little information we do know based on what has been reported there was a control channel, due to the way the events not just played out but the time issues and not all devices going off.

I suspect that devices that have not exploded are now “rounded up” and being “forensically” investigated, some in other Nations by amongst others NGO’s that will make their information available for criminal proceedings.

Because as I noted this is not just a crime, but a war crime, and is actually considered not just under international genocide legislation but also a first strike of war and an illegal order.

The political fall out from this sort of thing has in the past started not just national wars, but regional and arguably world wars.

Even the maddest of governments are not going to just use “timers” nor are “military planners”. Even terrorists know it’s a bad idea to use a time bomb of more than a handful of hours[2].

[1] Whilst 1watt at VHF will get two way communication to a satellite in Low Earth Orbit reliably, a bit more will get you into one of the repeaters on the International Space Station. An experiment that is fun to show school kids, and depending on their age show them how to measure the doppler and from that work out some of the “Kepler Elements” orbital info,

https://en.m.wikipedia.org/wiki/Orbital_elements

It’s something I’ve been doing with Satellites since the mid 1970’s and wrote software for a mini-computer to track sats and plot their orbits on HP Graphics plotters and terminals in the 1980’s and provide “drive signals” for antenna systems.

If they are of highschool or above age showing them how to do it all with just H^2 = A^2 + B^2 and also work out Newton’s little equation gives some of them an appreciation of STEM that stays with them for life and gives them career opportunities they might not have otherwise had.

[2] Look up the “Brighton Bomb” the 40th anniversary of which is a couple of weeks away (12th Oct). It was where the IRA tried to kill UK Prime Minister Margaret Thatcher with 100lb of gelignite on a “long timer” that had been set 3weeks before in the hotel that She and most of the UK cabinate/ministers were staying for their party conference. And whilst it almost succeed, it was in many respects a failure in that it did not achieve the primary objective. However in other respects it was a turning or tipping point that went beyond politics and could not be ignored. You can read some of what happened in the words of Patrick MaGee who installed the bomb,
https://jacobin.com/2021/03/patrick-magee-brighton-bomber-ira-where-grieving-begins

On the personal side thar bomb in 1984 represented a turning point for me as well. I had reason to attend an electronics manufacturing conference and exhibition in Brighton just a few days later and the security was quite high (stable doors effect). I still remember “the walk” past the “Grand Hotel” and seeing it and smelling it in what was an unnatural erie sound for being on a UK South Coast beach front even in autumn. From that point on for reasons I have no idea as to why, my life was dogged by “the troubles on the mainland” and walking in Mary Axe, or traveling by train from Clapham Junction South East through Balham brings back memories of innocence lost and friends now long remembered.

But less well known is there was also another terrorist bomb that got down played by the MSM at the time. It exploded at the wrong time by 12hours. Such timer based bombs just do not work, for a multitude of reasons they are in effect uncontrollable as we can not see into the future even a very short distance and things change all to easily.