Red Alert about Red Buttons

By KIM BELLARD

In a week where, say, the iconic brand Tupperware declared bankruptcy and University of Michigan researchers unveiled a squid-inspired screen that doesn’t use electronics, the most startling stories have been about, of all things, pagers and walkie-talkies.

Now, most of us don’t think much about either pagers or walkie-talkies these days, and when we do, we definitely don’t think about them exploding. But that’s what happened in Lebanon this week, in ones carried by members of Hezbollah. Scores of people were killed and thousands injured, many of them innocent bystanders. The suspicion, not officially confirmed, is that Israel engineered the explosions.

I don’t want to get into a discussion about the Middle East quagmire, and I condemn the killing of innocent civilians on either side, but what I can’t get my mind around is the tradecraft of the whole thing. This was not a casual weekend cyberattack by some guys sitting in their basements; this was a years-in-the-making, deeply embedded, carefully planned move.

A former Israeli intelligence official told WaPo that, first, intelligence agencies had to determine “what Hezbollah needs, what are its gaps, which shell companies it works with, where they are, who are the contacts,” then “you need to create an infrastructure of companies, in which one sells to another who sells to another.”  It’s not clear, for example, if Israel someone planted the devices during the manufacturing process or during the shipping, or, indeed, if its shell companies actually were the manufacturer or shipping company. 

Either way, this is some James Bond kind of shit.

The Washington Post reports that this is what Israeli officials call a “red-button” capability, “meaning a potentially devastating penetration of an adversary that can remain dormant for months if not years before being activated.” One has to wonder what other red buttons are out there.

Many have attributed the attacks to Israel’s Unit 8200, which is roughly equivalent to the NSA.  An article in Reuters described the unit as “famous for a work culture that emphasizes out-of-the-box thinking to tackle issues previously not encountered or imagined.”  Making pagers explode upon command certainly falls in that category.

If you’re thinking, well, I don’t carry either a pager or a walkie-talkie, and, in any event, I’m not a member of Hezbollah, don’t be so quick to think you are off the hook. If you use a device that is connected to the internet – be it a phone, a TV, a car, even a toaster – you might want to be wondering if it comes with a red button. And who might be in control of that button.

Just today, for example, the Biden Administration proposed a ban on Chinese software used in cars.

“Cars today have cameras, microphones, GPS tracking and other technologies connected to the internet. It doesn’t take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens,” said Commerce Secretary Gina Raimondo. “In an extreme situation, foreign adversaries could shut down or take control of all their vehicles operating in the United States all at the same time.”

“The precedent is significant, and I think it just reflects the complexities of a world where a lot of connected devices can be weaponized,” Brad Setser, a senior fellow at the Council on Foreign Relations, told The New York Times.  In a Wall Street Journal op-ed, Mike Gallaher, head of defense for Palantir Technologies, wrote: “Anyone with control over a portion of the technology stack such as semiconductors, cellular modules, or hardware devices, can use it to snoop, incapacitate or kill.”

Similarly, Bruce Schneier, a security technologist, warned: “Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves…The targets won’t be just terrorists. Our computers are vulnerable, and increasingly so are our cars, our refrigerators, our home thermostats and many other useful things in our orbits. Targets are everywhere.”

If all this seems far-fetched, last week the FBI, NSA, and the Cyber National Mission Force (CNMF) issued a Joint Cybersecurity Advisory detailing how the FBI had just taken control of a botnet of 260,000 devices. “The Justice Department is zeroing in on the Chinese government backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” said Attorney General Merrick B. Garland. The hacking group is called Flax Typhoon, working for a company called Integrity Technology Group, which is believed to be controlled by the Chinese government.

Ars Technica described the network as a “sophisticated, multi-tier structure that allows the botnet to operate at a massive scale.” It is the second such botnet taken down this year, and one has to wonder how many others remain active. Neither of these attacks were believed to be preparing anything to explode, being more focused on surveillance, but their malware impacts could certainly cause economic or physical damage.

Unit 8200, meet Flax Typhoon.

Earlier this year Microsoft said Flax Typhoon had infiltrated dozens of organizations in Taiwan, targeting “government agencies and education, critical manufacturing, and information technology organizations in Taiwan.” Red buttons abound.

————–

Ian Bogost, a contributing writer for The Atlantic, tried to be reassuring, saying that your smartphone “almost surely” wasn’t going to just explode one day. “In theory,” Professor Bogost writes, “someone could interfere with such a device, either during manufacture or afterward. But they would have to go to great effort to do so, especially at large scale. Of course, this same risk applies not just to gadgets but to any manufactured good.”

The trouble is, there are such people willing to go to such great effort, at large scale.

We live in a connected world, and it is growing evermore connected. That has been, for the most part, a blessing, but we need to recognize that it can also be a curse, in a very real, very physical way.

If you thought pagers exploding was scary, wait until self-driving cars start crashing on purpose. Wait until your TVs or laptops start exploding. Or wait until the nanobots inside you that you thought were helping you suddenly start wreaking havoc instead.

If you think the current red button capabilities are scary, wait until they are created – and controlled – by AI.

Kim is a former emarketing exec at a major Blues plan, editor of the late & lamented Tincture.io, and now regular THCB contributor