When thousands of pagers in Lebanon remotely detonated on Tuesday, they wounded over 3,000 people and killed at least 12. Lebanese militant group Hezbollah blamed Israeli forces for the explosions.
A second round of attacks hit the country today, with walkie-talkies exploding at a Hezbollah funeral and in multiple areas of Beirut. At least one child died and another 100 people were injured.
Although the attacks have no direct correlation with the crypto industry, they have prompted some concern about potential supply chain attacks.
All crypto devices for self-custodying assets like bitcoin or ether are vulnerable to supply chain attacks. Ledger, Trezor, ColdCard, BitBox, and countless other hardware wallet makers promise their devices are secure.
Nevertheless, like the thousands of pagers in Lebanon, the discrete steps of manufacturing an electronic device introduce countless moments of vulnerability. Somewhere in the logistics and supply chain preceding delivery to Lebanon and Hezbollah agents, someone set up the detonation components.
Similarly, crypto is suddenly concerned about malicious actors installing or hacking components in the hardware devices that store their digital assets.
The risky supply chain of crypto hardware wallets
A crypto hardware wallet contains dozens of electronic components sourced from third-party manufacturers. Components sit in warehouses abroad for weeks; then in ships, trains, and trucks; and then on shelves at the manufacturer’s warehouse.
Throughout these steps, employees of numerous companies have an opportunity to compromise the supply chain.
To counteract these risks, hardware wallet manufacturers perform spot checks, interview logistics personnel, review camera footage, conduct impromptu interviews, and even plant undercover workers in their own facilities and at third-party vendors.
So far, their securities practices have mostly worked. Aside from isolated incidents like the December 2023 Ledger Connect Kit attack or the 2022 hacks of Slope and BitKeep hardware wallets, there have been surprisingly few hardware hacks in crypto’s history.
However, recent events in Lebanon have the entire crypto community on edge.
Consider the complexity of this week’s pager attacks in Lebanon. A number of pagers were recovered intact and are under forensic investigation.
Pager company Gold Apollo in Taiwan denied making the compromised components for these AR924 pagers, instead blaming a company in Hungary, BAC Consulting. The CEO of Gold Apollo claimed in multiple interviews that he is 100% sure he did not manufacture the compromised components but simply white-labeled BAC’s product.
Ultimately, whether hardware devices by major manufacturers like Ledger and Trezor are compromised is difficult, if not impossible, to know. Wallets could, for example, be pre-seeded and merely pretend to generate seed phrases.
In any case, many security-conscious crypto users opt to use multi-signature wallets with signing devices manufactured by multiple vendors to reduce the risk of any single device.