The risk of weaponizing everyday objects

A radio device explodes in Baalbek, Lebanon, September 18. (Source: Anadolu)

The recent attacks in Lebanon using explosive-laden pagers and walkie-talkies are a new tactic and pose a major security challenge to all countries around the world.

What makes this tactic unique is that it is not technological sabotage aimed at an enemy. Historically, the Trojan horse tactic has been used to exploit communications or military equipment to then target specific targets.

Software Targeting

The attacks in Lebanon have been controversial because they used explosive devices that are widely used in everyday life. The attacks in Lebanon killed 37 people, including two children, as well as several Hezbollah commanders, and injured nearly 3,000.

International humanitarian law experts have accused the attack of violating international law by failing to distinguish between military and civilian targets and by using banned booby traps in common devices that could endanger civilians. Security analysts have warned that it could signal a new era of “weaponization” of everyday objects.

Attacks in which “internet of things” devices are sabotaged or disabled by deliberately corrupting the device’s software are becoming increasingly common. Because manufacturers control the software that can collect and process data, these companies have built-in capabilities to upgrade or downgrade functionality. This also allows for “prevention flexibility” when companies intentionally reduce this functionality by strategically limiting software updates.

A recent example in the business world is a dispute between a train manufacturer and a railway company in Poland that left some recently repaired trains unusable for months in 2022 because the manufacturer used remote digital locks.

These examples illustrate the importance of controlling software in an era where more products and infrastructure are becoming networked. Instead of using sabotage or surreptitiously manufacturing explosive devices using fake front companies, actors can target software. Actors can infiltrate manufacturers to manipulate software production supplies, exploit vulnerabilities, or simply attack networks.

Security intelligence agencies have long stressed the need to protect critical infrastructure that increasingly relies on digital networks, from smart power grids to emergency communications systems to traffic control systems.

In 2021, the Canadian Security Intelligence Service (CSIS) warned that exploitation of critical infrastructure systems by hostile actors would have "serious financial, social, health and safety impacts" in the country.

Ensuring safety for people

To understand the potential impact, it’s important to start with the mundane. A two-day power outage for Rogers Communications customers in July 2022 knocked out internet and mobile service for more than 12 million customers across Canada due to a system upgrade error.

The attacks in Lebanon pose a potential violation of international law by targeting civilians and using booby-trapped everyday objects. The weaponization of communications equipment in the attacks is under close investigation. Former CIA Director Leon Panetta has described the attacks as a form of terrorism.

When multiple manufacturers and distributors are involved in assembling a product, the end consumer must be able to trust the integrity of the supply chain that produced and delivered that product. In the case of the attacks in Lebanon, the economic and political impacts are being felt widely and it will be difficult to rebuild trust.

In addition to considering the consequences of attacks on global supply chains, there are policy implications for manufacturers of “internet of things” goods, requiring enhanced corporate governance practices.

The Federal Communications Commission (FCC) recently approved a voluntary “internet of things” labeling program in 2024 that will allow manufacturers to display the country’s “Virtual Network Trust Mark.” The goal is to help consumers make informed purchasing decisions and encourage manufacturers to meet increasingly high cybersecurity standards.

The attacks in Lebanon highlight the need for governments at all levels to set appropriate requirements for the procurement and operation of digital infrastructure. This must include clarifying who is responsible for operating and repairing the infrastructure to better ensure public safety in an era of cyber threats.