17 hours ago
9
Security
Lawmakers push DoD to tighten smartphone controls after adversaries exploited commercial tracking data
Getting the location of troops at war might be as easy as buying the data from a legitimate business. America’s foreign adversaries have exploited commercial geolocation data tied to US troops, the Pentagon admits, using it to target or surveil US personnel in the Middle East. Despite that, the Defense Department hasn’t exactly moved fast to secure the information, elected officials say.
Senator Ron Wyden (D-OR), Representative Pat Harrigan (R-NC), and a dozen other Congress critters sent a letter to DoD CIO Kirsten Davies on Thursday, demanding a change in smartphone security posture among US military branches. Included in the letter is what lawmakers describe as the first public confirmation that commercial location data has been used to target or surveil American troops in active war zones. The information was shared with Wyden’s office in April.
The reason for the delay in publishing the information, Wyden’s team told The Register, was due to “markings that restricted public release,” which Wyden reportedly pushed back on, leading to Thursday’s letter and the attached responses [PDF] from the DoD confirming info purchased from commercial data brokers was used to target troops.
“USCENTCOM [US Central Command] has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” the DoD’s responses from April indicate.
As for how exactly data brokers got access to the data that allowed adversaries to locate troops and their movements, they got it from the same sources as anyone else buying data from a commercial broker: Smartphone advertising profiles.
According to the DoD responses included in Wyden’s letter, not only are US military personnel allowed to use personal devices within operational areas, there’s no actual policy that requires servicemembers to turn off geolocation capabilities on their devices when located in active war zones.
“USCENTCOM's geolocation risk guidance directs personnel to disable geolocation functionality when not needed; periodically review device and application privacy settings; and limit public sharing of information,” the DoD said last month, while simultaneously admitting that such guidance doesn’t always fully disable geolocation on smartphones.
In addition to personally-owned devices, the DoD’s own issued smartphones don’t disable advertising profiles, either.
“The Personalized Advertising setting is disabled by group policy on the Mobile Device Management Server,” the DoD told Wyden’s team. “However, Ad Targeting Information is not disabled and can be edited by a user.”
That’s not the most straightforward answer, and, when we asked Wyden’s team what it thought of the response, it agreed with our assessment that the Pentagon’s MDM disables the serving of personal ads to users, but doesn’t stop the transmission of device advertising IDs or other associated data.
The DoD noted in the response that it’s in the process of migrating to a new MDM solution that allows location services to be completely disabled on government-issued devices and was targeting a completion date of early May, though it’s not clear whether the process has been finished yet. The Pentagon declined to answer any of our questions, only saying it would respond to Wyden, not us.
It’s also not clear how effective that MDM migration will be, as the DoD appears to be phasing out government-issued devices in favor of a broader BYOD policy in at least one branch. According to a US Army press release from earlier this month, the branch is targeting the end of this month for the return of Army-managed work smartphones, as “the primary and preferred method for connectivity is the Bring Your Own Device, or BYOD, program.”
CENTCOM has reportedly strengthened its geolocation controls in its area of operations; whether the average soldier, sailor, airman, and Marine is complying isn’t indicated.
They’ve known about this for how long?!
Failure to prevent the exposure of sensitive location data of military assets could be forgivable if it were a new problem, but according to Wyden’s letter, it’s not: The Pentagon likely knew about the issue for a decade.
According to the letter, government contractors briefed military leadership about the ease of tracking smartphones owned by military members way back in 2016.
“DoD officials have not treated this counterintelligence and force protection threat as a five-alarm fire,” the letter asserts, adding that the Pentagon “has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men and women in uniform.”
It’s not like there haven’t been plenty of examples of sloppy location data management compromising military operations, either. Data culled from workout tracking app Strava has been used to identify the workout routes of US military personnel jogging on base - and reveal the location of French President Emmanuel Macron thanks to his bodyguards’ sloppy security practices - and social media has also been flagged as an OPSEC disaster waiting to happen.
Despite all those examples and briefings going back a decade, the problem has continued right up to the latest operations in Iran.
“That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DoD leadership’s failure to prioritize this threat and implement commonsense cyber defenses,” the letter charges. Whether anything will be done about it remains to be seen. ®
English (US) ·