National Security Implications of Unchecked AI and the Exploitation of Personal Data: Part I

A new episode by the American Bar Association’s National Security Law Today podcast has been posted.

As AI advances and data privacy laws fall behind, the U.S. faces a major national security threat: the unchecked exploitation of personal data.This week, Elisa is joined by Margaret Hu, Professor of Law at William & Mary, and Davi Ottenheimer, Vice President of Trust and Digital Ethics at Inrupt, to explore the vulnerabilities in our digital footprint and what can be done to protect it. Together, they dive into the intricacies of microtargeting, AI regulation, and potential legislative fixes, while shedding light on the urgent need for a federal data privacy infrastructure.

From Exploding Phones to Sabotaged Pagers: Unraveling the Hezbollah Intelligence Failure

After Israeli athletes were kidnapped and murdered at the 1972 Munich Olympics, a phone was tampered with to assassinate one of those responsible. Mahmoud Hamshari, of the Palestinian terrorist group Black September, was killed by his ornate marble base desk phone in Paris packed with explosives that detonated when he answered a call.

Twenty two years later in 1996 Yahya Ayyash, of the Palestinian terrorist group Hamas, was killed by his Motorola Alpha cell phone, packed with just 50g of explosives that detonated when he answered a call (from his father). Notably Ayyash himself had become infamous as a bomb maker.

At this point you might have an impression there’s a particular theme, even a signature move, to explain exploding phones.

However, to be accurate, in October 2016 Brian Green’s Samsung Note 7 caught fire on Southwest Airlines flight 994 in Louisville, Kentucky, causing an emergency evacuation. And that was after September 2016 reports surfaced of a Samsung Note 7 exploding and destroying Nathan Dornacher’s Jeep in St. Petersburg, Florida. Not to mention a 6 year old boy also in September 2016, among more than 30 other victims, rushed to hospital after a Samsung Note 7 exploded in hand.

Fast forward to today, and Lebanon is reporting nearly 3,000 Hezbollah pagers have just simultaneously exploded this afternoon, killing nine people so far according to the FT.

Pagers belonging to Hizbollah members exploded across Lebanon on Tuesday, killing at least nine people and injuring more than 2,700 in an apparent sabotage of the low-tech systems the militant group uses to evade Israeli surveillance and assassination attempts.

The blasts took place in several areas of Lebanon including the capital Beirut, the southern city of Tyre and the western area of Hermel, as well as in parts of Syria. Images circulated on social media of explosions and of people with bloodied pocket areas, ears or faces being taken to hospital.

The damage in the Lebanese reports suggests to me this was a supply chain attack. Pagers were recently deployed, perhaps with some sense of new urgency for new devices. These could have been intercepted and sabotaged were counterfeits inserted into the supply chain (as confirmed/protested by the authentic brands themselves). They may have all be the same, but also could have been many different models or devices.

The IRA, for example, knew some cars had been bugged by British intelligence. What they didn’t know was that the supply chain was compromised such that every single car entering Ireland allegedly was bugged by the British so any of them could be triggered.

The pagers deployed widely today in Lebanon are popular because one-way, used as a receive-only device. This leads people to believe without a transmit function they are hidden, with no target surface, while still being available for calls to action. Hassan Nasrallah, leader of Hezbollah, had warned members against cellphones, arguably making them less safe by mandating a narrow and predictable attachment to legacy technology. In reality, it’s also possible to triangulate a one-way pager based on tower signal strength and direction. But the news of exploding and easily tracked cellphones generated a great fear of using them, which is how Hezbollah ended up being targeted today.

When everyone in a particular target group is receiving the same signal at 1530 in the afternoon, and they all have just been “upgraded” to a new pager device with a tell-tale vulnerability… the implications of membership are clear. Communications will be severely interrupted among a very narrow set of specific network links.

In terms of the method used, pagers tend to have very limited internal space, a few centimeters at most. This is a shift away from assassination levels of attack. A small explosive charge, even under 20 grams, would still cause significant damage, particularly when combined with a lithium battery known for volatility. Allegedly the GApollo AP-900 was the pager in this case, however, which specifies an AAA battery.

I mean why would such a small charge be detonated to disrupt communication and cause mass suffering across Lebanon, given a history of more potent explosive methods in phones used for assassinating terrorist leaders?

My guess is that someone, either intentionally or unintentionally, just exposed how pervasively Hezbollah has been operating in Lebanon, and how they are being organized… by brightly illuminating all the endpoints. Nearly 3,000 casualties, having no other indicators than a newly distributed pager, is the strongest angle in this story. Emergency response has little choice but to put the targeted on a public map. The more that is reported about injury by association, in theory, the better the case against Hezbollah has been made.

In conclusion a method of using everyday communication devices for remote explosions has historical precedent. Similarly, massive supply-chain compromise is quite old and far more common than most realize. This incident is most interesting because it seems to indicate a strategic shift, by loudly messaging that Hezbollah’s operational reach — even among civilians and diplomats — is no secret and is vulnerabile to large scale intelligence failures.

Update:

A second wave of exploding Hezbollah communication devices involved handheld radios. The manufacturer is complaining these radios are obvious counterfeits.

A sales executive at the U.S. subsidiary of Japanese walkie-talkie maker Icom told The Associated Press that the exploded radio devices in Lebanon appear to be a knockoff product and not made by Icom. “I can guarantee you they were not our products,” said Ray Novak, a senior sales manager for Icom America’s amateur radio division, in an interview Wednesday at a trade show in Providence, Rhode Island. Novak said Icom introduced the V82 two-way radio model more than two decades ago and it has long since been discontinued.

The GApollo pager manufacturer CEO also has said today that the explosive devices were not made by his company, although he referred to it as a licensing deal with a Hungarian distributor. Since he calls it licensing, it almost supports the notion that no laws were broken by manufacturing an intentionally explosive model.

This basically confirms that the supply chain attack was not interception of newly made goods, and instead a targeted insertion of counterfeits or sabotaged old models into the Lebanese electronics market; remote control bombs were made to look like popular communication technology brands, to suit Hezbollah’s own stated preference for dated and inexpensive (grey market) technology.

Related and from this blog in 2006:

Although it’s not uncommon for households in the Middle East to have at least an AK-47 around the house, it’s incongruous to see the three rifles and grenade launcher beside a baby’s bassinet.

Blood Courier Drones Cut London Transit Time

A hospital says its street-level motorized couriers were taking over half an hour to travel under 2 miles to a lab at another hospital. It has decided to try drones instead.

At the moment, transferring samples between Guy’s Hospital and the lab at St Thomas’ Hospital – a journey by road of nearly two miles – can take more than half an hour using van or motorbike couriers, but the samples can be transported in less than two minutes by drone.

A non-motorized bicycle takes under 10 minutes to go less than 2 miles in London. So the first question probably could be why supposedly health conscious hospitals aren’t also testing cyclists (and promoting clear roads for bicycles)? Add an electric bike to this test and time probably shrinks to 5 minutes.

Given the complications and cost of drones, a bigger question here is why anyone in a city ever thought in the first place that a van was the right call to take a small package less than two miles.

Maybe someone likes big complicated things with lots of moving parts, prone to high touch operations, instead of using easy and obvious solutions.

NY Tesla Kills Two in “Veered” Crash Into a Tree

The crash scene is being described as if a cruise missile was fired into a civilian area.

Two people died when an out-of-control vehicle hit a curb, then a tree and crashed into the front of an apartment building and exploded in Westchester County Monday, authorities say. Emergency personnel responding to the 9:10 a.m. accident scene on Battle Avenue found the vehicle fully engulfed. The building also caught fire. The vehicle is believed to be a… Tesla.

I just finished writing up the third Tesla “veered” crash tragedy in NJ from the past month, and yet here is a similar story in NY.

Data scientists reading this blog will be interested to know this crash very specifically mentions a tree.