Yom HaBiperim and the Threat of Supply Chain Attacks

First of all, "Yom HaBiperim" is one of the funniest things I've read in the past 24 hours. Mad props to @RUOC90177786 on X for coining that one.

On a more serious note, Israel's amazing strike on Hez'balless yesterday should give everyone in security field pause. It demonstrates that if you don't own and control your entire supply chain you are incredibly vulnerable to attack. This applies to pretty much everything that security breaches can impact. It's not just an issue for NGO terrorist organizations, in the age of globalization it's also a major vulnerability for nation states that depend on a vast array of items from other countries. E.g., IT assets, software, or munitions.

The pager attack was a respin of Project Eldest Son. This was an operation during the Vietnam War in which various types of small arms ammunition were modified to explode when a Communist soldier attempted to fire his gun. It was done by replacing one cartridge in a box of ammo with one that was loaded with C4 high explosive, instead of smokeless gunpowder. This caused pressure in excess of what the gun was designed to handle and it would then explode in the user's hands.

Further back, the British did this in the 1890s and 1930s against tribes they were fighting.

See: https://en.wikipedia.org/wiki/Project_Eldest_Son

Even when buying equipment from supposedly reliable vendors, the problem of counterfeit products is severe enough that even Cisco has a web page about it. See https://www.cisco.com/c/en/us/about/legal/brand-protection/identify-counterfeit-products.html

If I was a nation state, I'd look at augmenting IP-addressable hardware with a chip that periodically phones home to a controller, or maybe even sniff network packets for things of interest. It wouldn't have to be a computer or router. It could be a network printer, webcam, or any other device connected to a network. IoT devices in particular are notably insecure out of the box which allows millions of them to be coopted into botnets.

But it's not just network and telco gear.

In the past 10 years or so, China has flooded the world with dirt cheap handheld VHF/UHF transceivers. The Baofeng UV-5R is the most well know of these. They've seen use in Ukraine, Syria, and are extremely popular in the US amongst various groups ranging from Antifa to right-wing militias. They're also popular with ham radio operators. Heck, I have three within arm's reach right now.

The Baofeng is a software defined radio (SDR). That means that much of the RF signal processing that would traditionally be done with hardware is actually done by software running on the radio's chip. That means that within the limits of the hardware, functionality can be added or removed with a firmware update.

For example, until the FCC mandated that Baofeng remove the capability to transmit on FRS, GMRS, and MURS frequencies, the UV-5R could do so even though it is type accepted in the US only for ham frequencies. Baofeng modified the firmware to block transmission on these frequencies on new radios sold in the US, but this didn't affect existing radios.

The problem from the FCC's standpoint is that because of how that Baofeng implemented the frequency restriction, the radios can be unlocked so that they're capable of transmitting on the forbidden frequencies. A search on YouTube for "Baofeng unlock" gets you the info needed to do so. The actual unlock procedure takes about 10 seconds. I've confirmed it myself.

These radios can be programmed using a special USB cable that connect to a computer and a free, open-source software package called CHIRP. This is probably the most common and definitely easiest way to program in frequencies in the radio's memory channels.

Now imagine that the firmware has a backdoor in it that allows features to be modified or cause the radio to transmit, after receiving a specific RF signal over the air. For example, suppose you are fighting an opponent known to use Baofengs. You want to locate enemy fighters. Broadcast a signal that triggers any Baofeng receiving it to transmit a reply. Because it's an SDR you can write the firmware so that the radio's transmit light doesn't come on, so the user is none the wiser. The force that initiated the ping then uses direction finding equipment to locate the radios and then drone strikes their enemy.

I really don't think this is far-fetched.