MUMBAI: The recent incident, where pagers were compromised and possibly weaponised, highlights a sobering reality: even low-tech solutions are not immune to sophisticated cyber-attacks.
If the recent incident in Lebanon, where pagers exploded and caused physical harm, indeed turns out to be a cyber-attack, it would mark a significant and alarming shift in the nature of cyber warfare. Up until now, most cyber-attacks have been confined to targeting critical infrastructure, financial systems, or data networks, leading to disruptions, financial losses or breaches of sensitive information. However, this event would represent one of the first times that a cyber-attack has directly caused physical harm to individuals, pushing the boundaries of what cyber threats can achieve.
FRAGILITY OF LOW-TECH
It appears that Hezbollah opted to use pagers for several strategic reasons, primarily focused on improving security and avoiding surveillance. They viewed pagers as a more secure alternative to smartphones, believing that they were harder to hack or infiltrate compared to modern communication devices. Hezbollah leader Hassan Nasrallah had even advised members not to carry cell phones, warning that they could be used by Israel to track their movements and conduct targeted strikes. Pagers, being more low-tech, were seen as less traceable, offering privacy protection since they lack GPS and Bluetooth features, which are common in smartphones.
Additionally, pagers must have allowed Hezbollah to focus on critical messages without the distractions of daily notifications, which come with smartphones and were considered an extension of their existing fixed-line telecommunications network, dating back to the early 2000s. Pagers were particularly effective in environments where cell phones might be restricted or compromised and they also offered a cost-effective communication solution for large-scale deployment within the organization.
This strategy of relying on older, simpler technology was intended to enhance operational security by minimizing exposure to advanced cyber surveillance techniques. However, the recent incident, where pagers were compromised and possibly weaponised, highlights a sobering reality: even low-tech solutions are not immune to sophisticated cyber-attacks. Despite the belief that pagers would evade modern surveillance and hacking efforts, this attack shows that adversaries are capable of exploiting vulnerabilities in any technology, no matter how basic.
SHIFT FROM DIGITAL TO PHYSICAL HARM
Traditionally, cyber-attacks have focused on non-physical consequences. Attacks on critical infrastructure such as power grids, water supplies, and transportation systems have disrupted essential services, but they have rarely led to direct physical harm. For example, while the 2015 cyber-attack on Ukraine’s power grid caused massive blackouts, it didn’t result in immediate casualties. Similarly, ransomware attacks on hospitals, such as the 2017 WannaCry incident, delayed medical procedures and compromised patient care, but they didn’t directly injure people.
However, the explosion of pagers in Lebanon crosses a previously uncrossed boundary: it demonstrates how cyber-attacks can now be weaponised to directly harm people. This shift is particularly concerning because it shows that the vulnerabilities in devices—whether they are pagers, pacemakers or autonomous vehicles—can be exploited not just to cause disruption, but to inflict physical damage. This type of attack opens up a whole new realm of possibilities for cybercriminals and state-sponsored hackers, expanding the battlefield from the virtual to the physical.
GROWING RISK OF CYBER-PHYSICAL ATTACKS
As more devices become part of the Internet of Things (IoT), the number of potential targets for cyber-physical attacks increases exponentially. IoT devices such as smart home systems, medical devices, industrial machinery and even connected cars are designed to interact with the physical world. A breach in these systems could have immediate, life-threatening consequences. Consider the following potential scenarios:
a. MEDICAL DEVICES: Many life-saving medical devices, such as pacemakers or insulin pumps, are now connected to networks for easier monitoring and control. If these devices are hacked, attackers could manipulate their functionality, causing fatal malfunctions.
b. AUTONOMOUS VEHICLES: As self-driving cars become more common, the risk of cyber-attacks on these vehicles increases. A hacker could take control of a car’s navigation system, steering it into dangerous situations, or disabling critical safety features like brakes.
c. INDUSTRIAL SYSTEMS: In factories and power plants, cyber-physical systems control everything from robotic arms to safety valves. A well-coordinated cyber-attack could cause explosions, fires, or hazardous material leaks, putting workers and communities at risk.
The Lebanon incident shows that cybercriminals are now willing and able to push the boundaries, moving from disrupting digital systems to manipulating physical devices to cause harm. This escalation demands urgent attention to cybersecurity, particularly in sectors where physical safety is at risk.
BLURRING OF CYBER AND KINETIC WARFARE
The Lebanon attack also illustrates how cyber-attacks can blur the line between cyber and kinetic warfare. In traditional warfare, kinetic attacks involve physical actions, such as bombings or shootings that cause direct harm. Cyber warfare, on the other hand, has typically been seen as a way to disrupt or disable systems without causing immediate physical damage.
However, cyber-attacks can now be used as a means of kinetic warfare. By exploiting vulnerabilities in connected devices, attackers can trigger explosions, fires or other physical events that cause injuries or deaths. This represents a new form of warfare where digital and physical realms converge, potentially allowing state-sponsored actors or terrorist groups to cause harm without ever setting foot in a conflict zone.
This convergence between cyber and kinetic warfare could have profound implications for national security. For instance, how should nations respond to a cyber-attack that crosses into the realm of physical harm? Would such an attack justify a military response? The answers to these questions are not yet clear, but they will need to be addressed as cyber-physical attacks become more common.
While embracing digitalisation and technological advancements is crucial for growth, neglecting the security and safety of individuals due to the misuse of these technologies is a serious concern that must be addressed immediately.
Khushbu Jain is a practicing advocate in the Supreme Court and founding partner of the law firm, Ark Legal. She can be contacted on X: @advocatekhushbu. Views expressed are personal.