Perhaps the funniest (in the weird sense, not the humorous sense) reaction to Bruce Schneier’s apocryphal op-ed is that the small minds can’t get past his use of Israel’s exploding pagers and walkie-talkies to grasp the magnitude of what Schneier is trying to explain. If they could just let go of their hatred of Israel for a moment, they might realize that it was merely a flagrant example of a far larger, far deeper problem that cybersecurity experts like Schneier have been warning about for a long time.
Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.
If you can’t get past the first phrase to read what comes after the colon, you’re not only too myopic to grasp why you’re wrong about Israel, but why you have long been owned by China, as well as a few other low labor countries that have been producing the goods we consume with abandon.
The core component of the operation — implanting plastic explosives in pagers and radios — has been a terrorist risk since Richard Reid, the so-called shoe bomber, tried to ignite some on an airplane in 2001. That’s what all of those airport scanners are designed to detect — both the ones you see at security checkpoints and the ones that later scan your luggage. Even a small amount can do an impressive degree of damage.
Reid was a goofball who failed miserably, unless his goal was to force flyers to remove their shoes when passing through airport security, in which case he was brilliant. But just because Reid was incapable of pulling it off doesn’t mean the next guy won’t do better. Then again, if the tech can identify plastic explosive with your shoes off, can’t it do the same with your shoes on as you pass through the scanner? But then, how would we appreciate the TSA if it didn’t make our lives a little more painful.
The second component, assassination by personal device, isn’t new, either. Israel used this tactic against a Hamas bomb maker in 1996 and a Fatah activist in 2000. Both were killed by remotely detonated booby-trapped cellphones.
Targeting individual terrorists through their personal devices is about as surgical as it gets. If you thought dropping bombs on buildings was bad, you should love this method. Sure, it’s not perfect, but when you can’t get close enough for defenestration, this is about as good as it gets.
The final and more logistically complex piece of Israel’s plan — attacking an international supply chain to compromise equipment at scale — is something that the United States has done itself, though for different purposes. The National Security Agency has intercepted communications equipment in transit and modified it, not for destructive purposes but for eavesdropping. We know from a Snowden document that the agency did this to a Cisco router destined for a Syrian telecommunications company. Presumably, this wasn’t the agency’s only operation of this type.
This would make for a really cool cold war novel if it was us doing the dirty, but then, we’re not Israel even if there are some Jews in the United States. But this leads to a far larger point, and Schneier uses the example of Israel to show that it has, and can, and will, be done. More importantly, it’s just not just about blowing things (and people) up.
The bottom line: Our supply chains are vulnerable, which means that we are vulnerable. Anyone — any country, any group, any individual — that interacts with a high-tech supply chain can potentially subvert the equipment passing through it. It could be subverted to eavesdrop. It could be subverted to degrade or fail on command. And, although it’s harder, it can be subverted to kill.
While killing is the most extreme example, the sort of example that grabs people by the neck and shakes them good and hard, the vulnerability goes far deeper. “It could be subverted to degrade or fail on command.” Let that sink in. From your iPhone to your car to your fridge, it could all be bricked any damn time an adverse nation chooses if they were the ones who provided parts, built it or even played a role in the supply chain that got it to your front door.
While it was smart of President Biden to try to re-establish a domestic chip manufacturing capability rather than let Taiwan control the monopoly, that’s only one piece of the problem, assuming we eventually manage to make it happen. It may already be too late to matter. It doesn’t address the vulnerabilities that can, and may already have, been exploited along the way.
It’s not obvious how to defend against these and similar attacks. Our high-tech supply chains are complex and international. It didn’t raise any red flags to Hezbollah that the group’s pagers came from a Hungary-based company that sourced them from Taiwan, because that sort of thing is perfectly normal. Most of the electronics Americans buy come from overseas, including our iPhones, whose parts come from dozens of countries before being pieced together primarily in China.
That’s a hard problem to fix. We can’t imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn’t have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.
It may already be too late, but assuming its not and that countries like China didn’t bother screwing with your iPhones or vacuums, does the realization that we’re vulnerable to any one of the low-cost labor countries where are fondest toys are “pieced together” give you pause? For all I know, my computer is sending every keystroke I tap straight to Hanoi right this very second. But then, it’s not as if I have a choice other than to not use anything built after 1982. And why would anyone care enough about me to brick my world anyway?
Discover more from Simple Justice
Subscribe to get the latest posts sent to your email.
Between this McGuire tune and Howl’s Family Man in the last entry, you folks are digging up some truly obscure music that I thought I was the only one listening to! Kudos to Howl and our Benevolent Host!
It’s a shame GitDave’s gone dark.
He is missed.
Agreed. I knew something was off – but my daily visits taper off with the school year tapering off and I hadn’t realized that the Two Allowed Video Guests had been narrowed to One.
It’s always sad when favorite regulars drop off of blogs/fora that I visit. 🙁
PS: No “If I Had A Rocket Launcher?”
As a result of the Stuxnet events, there were a number of studies of Programmable Logic Controllers (PLCs) in general to see whether they were susceptible to either hacking or outside interference. This was done for several key industries where these PLCs are used to control the opening and closing of valves, motors, and other active components. One of the discoveries that was most shocking was that the PLCs were vulnerable to electrical transients in the power network inside the facilities- that could cause the PLC to think that it had been given a command to “do something”. It is very bad when the closed valves in your powerplant of refinery think they have received a message from their creator to do something, and then act on that “command”. And large industrial facilities are notorious for having “dirty power”, because of the large number of large motors that start and stop all the time.
The PLCs that were tested back then (about 15 years ago) came from the US and the EU, and there were lots of suspicions that PLCs from less rigorous countries might be even more susceptible to these transients. This all happened before I retired, so I don’t know what action has been taken since then, but I would be very worried about PLCs coming out of China or any other country other than the USA (and maybe even our own), to hacking. Any adversary that makes these devices and sells them to us has to be suspected of planting back doors that will be used, just like the Israelis did, to destroy important infrastructure.
And why would anyone care enough about me to brick my world anyway?
Less about you specifically, more about the chaos that a general outage would cause. Look what happens when we can’t even get a couple agencies to work on the same radio frequency…
The problem is not bricking your phone. It is about causing major chaos, as the Israelis just did, by commanding small devices in many places to ” misbehave” at the same time.
Think about 5 refinery/ chemical plants exploding at the same time, or the water or sewer systems in a dozen major cities simultaneously stop working. Or 10 nuclear plants having an ” exciting event” at the same time. Or 1000 cars deciding to stop around the DC beltway at the same time.
Or maybe all of these events, simultaneously…
I was expecting the quote tags to make the first sentence, the quote itself, look different from the rest of the comment. We agree that major chaos is as big, possibly bigger, an issue than more targeted events.
One last item. There was a TV program around 2015 called “Halt and Catch Fire” about computer programmers. The name came from a ficticious computer instruction.
Think about all those battery management computers in EVs, controlling the batteries’ charge/discharge state. Imagine that we buy an enormous number of these vehicles from China, and they do, in fact include this instruction. Which can be triggered remotely, while the vehicles are on the road, in garages in homes, in office buildings, in tunnels, on ferries. If you doubt this is possible, you are naive.
The chaos would be unimaginable. EVs with lithium batteries will be the ultimate stealth weapon.
This is the software supply chain attack made physical. There has been a rash of attacks against commonly used libraries and modules where the bad guys sneak malware into repositories to infect updates and current downloads. They usually have a stolen signing key so the package looks safe.
Everything must now come from a trusted source that is verified.
This is why I stopped buying car parts from Amazon and only use Rock Auto.
And where do you think Rock Auto gets their parts? Do they make them themselves from raw materials or do they get them from all the same places the stores and Amazon get them?
Something I know about. I was a targeting officer in the military.
This is an elegant application of targeted force and Col. John Boyd’s OODA loop. The OODA Loop is a decision-making framework that consists of four stages: observation (O), orientation (O), decision (D), and action (A). It’s not specific to air warfare but was developed for that.
Col. Boyd codified an iterative process to help organizations and individuals to make solid decisions in the fog of war by cycling through the stages until the action is over.
The Israelis took out the upper and middle level of commanders with the pagers and radios. The pagers would have gone to officers and senior NCOs and by taking them down, plus destroying their communications network they effectively neutered any mass action by ground forces.
That loop completed, they moved onto the next step, again going through the loop.
31,000 air sorties in four months. The amount of intelligence, logistics and manpower to determin the targets, (The sorties would hit multiple targets.) effective weapons load and tempo is stagering. Plus, the targets are constantly shifting location.
Frankly, I wonder how long they can keep up the pace. Bombs are a finite resource. Aircraft wear out and parts may be in short supply. Pilots and ground crews can’t maintain the pace forever.
I hope they beat the forces down before they run out of supplies.
I assume that high tech weaponry (aircraft and armor) exported by the US are equipped with stealth “kill switches” that be activated by the US government.
Well, I just read a story that Musk has bricked one of his trucks that the Russians turned into a “technical” machine gun platform. Remotely. Probably from one of his sattellites overhead.
The simplest and most common solution is to simply not export your best and lastest equipment and this is mostly the case with the US.
After that, you don’t want a kill switch capability that is implemented at the hardware level in a military system because that creates an attack surface for an enemy to exploit. If the Republic of Examplia has killswitches that can brick their air force’s avionics remotely, that’s something that the hackers of their sworn enemy Badguyistan can use against them by potentially triggering it themselves.
That said, as I understand it there are cases where weapons systems we sell or give cannot use their full capabilities due to differences in the software and firmware. This avoids the hardware kill switch issue, but raises the issue that software and firmware can be reverse engineered and rewritten given enough time and effort.
And all of this is pretty tangential to the thrust of the article. While there are military systems that are dependent on foreign-sourced COTS (Commercial Off-The-Shelf) components most nations pay pretty close attention to who makes the electronic components going into their latest fighters or surface to air missile guidance radars (this is one of the many factors that slows down Defense procurement). The civilian market is orders of magnitude larger and the supply chains orders of magnitude more complex.
As far as why anyone would care to “brick your world”, as others have noted the issue would more likely be part of a larger scale attack aimed at disrupting day to day functioning of business and government. That said, if you were a different sort of lawyer your risk profile might be very different. An Intellectual Property lawyer, or any lawyer that regularly handles sensitive business information for their clients would do very well to be very careful which brands of electronics he or she uses.