Like, these are actually well respected cybersecurity professionals who are consistently invited onto mainstream TV to talk about cybersecurity.

"Question is: Did they intercept the supply chain and just hand them a bunch of IEDs or did they use mind control to reverse the flux capacitor on their fridge, leading to an outbreak of ebola"

@malwaretech TBF they are still posting on Twitter so the takes can’t be all that great

@malwaretech 10/43 words (give or take) of the first tweet is mil/intel jargon... Also note the two "may"'s in the opening sentence. See also: https://rationalwiki.org/wiki/Just_asking_questions

@malwaretech despite it being the less likely case, I didn't fully discount the battery theory at first because a lithium polymer battery enclosed in a sealed aluminium chassis (e.g. for IP67 rating) could go off with quite a pop - you'd be amazed at just how violent a sealed can full of hot compressed gas can be - but the subsequent photo evidence seems to indicate that the affected units just have regular battery compartments so that pretty much closes the topic.

@malwaretech I'll throw in "kinetic extension of cyber to the battlefield" into every conversation from now on.

@malwaretech

So it's BS then?

I mean, is it possible to hack into an electronic device to make the battery blow up? If it is, I *will* freak out.

@Lily_and_frog It depends. In the first approximation, on how much of the low-level energy flow control is left accessible to the software, and how much is hardcoded, but there's caveats.

=> Some devices have lithium battery charge control circuits that can be rigged to make the lithium battery go fiery by software. These devices are currently rare. The share of these devices will rise over time, however, because there's advantages to exposing battery charge to software control — at the risk of also allowing software to shortcut the battery. That having been said, a lot of battery packs have protective circuits against such, just in case.

@malwaretech

@gsuberland Just watch the videos of them going off.

@acmeworks
*Calling in an air strike via radio*
"I'm engaging the enemy with a kinetic extension of cyber"

@malwaretech I did. the problem is that when you think "lipo explosion" you're picturing what happens if you light a LiPo on fire in a reasonably unrestricted context. if you put it in a sealed metal can, you've basically got a rather small, rather crap pipe bomb, and honestly... the videos look like rather small rather crap pipe bombs. heck, I've seen a capacitor with 1/1000th the CPE of a LiPo turn an ATX PSU chassis into a sphere.

it isn't what happened, but it wasn't impossible.

@malwaretech worth noting that I've been actively investigating attacking LiPo BMSes so this is something that, by an absolutely bizarre coincidence, I've been actually directly working on recently.

@gsuberland I think you are way overestimating the explosive power.

@gsuberland @malwaretech all BMSes have protections that would be a serious hardware design error.

Edit : a serious system-wide collection of design errors. Not even a fuse in there?

@f4grx @malwaretech you would think but... lolno

@malwaretech self-identified actual noob here: is it not feasible that this was a manipulsted over-the-air firmware update?

@alphakomet @malwaretech usually I’d say something like „well, it’s very unlikely, maybe, but not really” but seeing the tweets I’m going to say: nope, not even the slightest chance, it’s supply chain + remote detonation, that’s it.

@alphakomet @malwaretech not based on the video I’ve seen of these things going off.

It’s gotta be some kind of high explosive, in small amounts hidden inside the pagers. A battery going wrong is typically more fire and smoke than a straight immediate explosion

@alphakomet @malwaretech@infosec.exchang I don't know that kind of beeper they where using, but most of them I have seen are just based on old technology I don't think any of them have the hardware for firmware upgrading..

I would also not know over what radio-channel you would send the firmware.
POCSAG is a packet-based protocol running at 512, 1200 or 2400 baud. It takes over a second just to send one single message.

@alphakomet @malwaretech no there is absolutely no way of doing that without modifying devices and if you do that you might as well place actual explosives in them.
That is ignoring that batteries don't explode to begin with, they can catch fire from thermal runaway but don't explode.

@gsuberland @malwaretech that kind of attack supposes the alignment of a large number of holes in the security gruyere. No way it's just one bug.

@malwaretech Yep, it’s fine enough for a layperson w a tiny audience like me to wildly speculate! I expect more from seasoned security pros 😂

@riley @Lily_and_frog @malwaretech Also that's "rapidly being on fire" not "rapidly disassembling the device into a single direction" so it wouldn't yield the results of this attack. It'd be more like the cheap Chinese "hoverboards" and less cheap Samsung phones that caught fire a few years ago.

@ln Most of the danger of most of lithium batteries, right now, is focused on them starting to burn while on a plane, in a compartment assumed to not contain any burning things.

But high capacity lithium batteries can also put out a lot of burning.

I haven't seen the videos yet, but considering that we're talking about pager batteries and explosions that can, according to an AP report, tear off a person's hand, I'm pretty sure that the amount of energy unleashed in this case is significantly larger than what fits into a lithium battery.

@Lily_and_frog @malwaretech

@f4grx @malwaretech oh for sure. I even said as much when I first mentioned it on here. like... no discrete protection, no parts that would fail before the batteries, iffy battery chemistry, bad enclosure design, insufficient limits on BMS parameters for the design spec, BMS parameters writeable from the MCU, and an RCE in the firmware, all in a device that just happened to be preferentially purchased by the target demographic? that would be an unbelievable series of coincidences.

@f4grx @malwaretech but the issue of "we didn't add any discrete protection and then used a generic BMS IC whose parameter limits vastly exceed the safe limits of the design and then hooked it up over SPI/I2C" is shockingly common among commodity LiPo stuff. some do much worse, even on very large batteries. hence why I've been looking into it.

@acmeworks
I was confused about what "controlling the Intelligence/HUMINT requirements" was supposed to mean.

I've now decided it must mean "using complex language to describe something simple so only very educated people can figure out what you're saying is actually BS"

Usage: "LLMs are highly effective tools for businesses to control Intelligence/HUMINT requirements for customers and investors"
@malwaretech

@boomfish @acmeworks yeah, It's basically just nonsense buzzword bingo from someone trying to sound really informed.

@malwaretech @boomfish @acmeworks

It's just a fancy way to say, "we got a list of pager numbers from this guy whose family we threatened with this $5 wrench".

@gsuberland @malwaretech this sounds completely and disturbingly plausible.

@gsuberland @malwaretech

I've done the large caps in a 120V outlet explode 'experiment' before.

That's the main difference between a capacitor and a battery. Power != Energy.
The power density is orders of magnitude larger in a capacitor, even if the total energy is so much smaller. The chemistry matters and LiPo still cannot convert the potential chemical energy into heat fast enough like a capacitor or real explosive.

The energy in a battery is chemically stored as a potential in Ions. So Ions (nucleus and all) physically move across the cell. (imagine big dudes moving across a crowded room of other dudes, across a velvet rope into another crowd of big dudes).
Capacitors are electrochemical. The simplification of it, only the much smaller electrons have to move. (like that same dude firing a gun, only the bullet goes across the room). They go much faster, near light speed.
Chemical explosives are similar, no waiting for Ions to move a charge... they are just electrons breaking and forming bonds with directly adjacent molecules. Super fast chain reaction (like a train car full of dudes with machetes).

An explosion with Li-Ion batteries CAN happen, but only after a few moments of swelling with a very tightly sealed package that keeps the hydrogen gas building up pressure. In practice, it's gonna burn and not explode 99.9% of the time. And the 0.01% of the time that it does explode, it was obvious for several seconds to minutes that it was about to go.

@chiclet @malwaretech you're explaining this to someone who spends half his time researching novel capacitor technologies, is currently researching building a homebrew barium titanate class II monolayer ceramic capacitor, and who also spent the last month of his day job researching attacks against lithium battery BMSes. I'm very much aware of the chemistry involved. when I tell you that there are specific circumstances in which this can happen, it's not just speculation.

@gsuberland are you assuming an off-the-shelf cylindrical cell with vents built in? If you were a nation state, you could reasonably manufacture a cylindrical cell with pressure relief vents removed or blocked, so that the cell is a reasonably well-sealed pressure vessel. (of course, not the simplest approach and not consistent/reliable timing vs just hiding actual explosive - but may be possible if they were extremely worried about this standing up to an incoming inspection?).

@charliebruce no. just a cheap shoddy pouch battery in a sealed aluminium enclosure with a wall size just thick enough to hold some pressure, but not thick enough to prevent eventual rupture. you'd need to combine that with extraordinarily negligent design on the BMS side of things. it's a lot of very very unlikely coincidences stacking up on top of each other, and it doesn't even match with photos of the device that came out in the meantime, so it definitely wasn't the case here.

@gsuberland ah right, I haven't seen the photos. Sounds like they just relied on a lack of incoming inspection / a quick enough turnaround from delivery that nobody had time to notice, I guess.

@charliebruce right now we don't know anything at all really, beyond eliminating the "just a regular battery that got blown up by an exploit" theory.

there are a few articles with claims about explosives being placed in batteries, but their sources are extremely questionable and provide details that are either obviously false or highly suspect. we'll have to wait for actual trustworthy analysis to come out before we know.

@gsuberland #graham

@malwaretech nah. Just short-circuit a shitty LiPo/LiIon/LiCo cell...

@malwaretech jfc lmao