- The Pentagon has confirmed that foreign adversaries of the US were exploiting commercially available smartphone location data to track US troops in war zones
- This revelation comes despite warnings almost a decade ago about the risks of smartphone tracking by government contractors
- The problem persists because the DoD does not require users to disable geolocation in war zones, and advertising IDs are still transmitted by smartphones even when personalized ads are disabled
Foreign adversaries of the United States have been able to purchase commercial smartphone data that allows them to track troop movements in theaters of war, including the Middle East, due to a lack of oversight by the Department of Defense (DoD), although the Pentagon has confirmed such incidents.
The acknowledgment comes at a time when lawmakers, led by Senator Ron Wyden and Representative Pat Harrigan, criticized the Defense Department for not enforcing stricter smartphone security protocols.
They noted that both personal and government-issued devices still transmit promotional IDs that can be used to locate personnel worldwide, in a letter to DoD CIO Kirsten Davies.
A decades-long list of concerns
The Pentagon has been alerted to the threat to its operational security and, by proxy, the security of its soldiers for at least a decade, as noted by Senator Wyden in what reads as a scathing admonishment of its perceived lack of response to a glaring security problem:
“[The] DOD has reportedly known about this threat since at least 2016, when a government contractor briefed officials from the Joint Special Operations Command and demonstrated the ability to track phones traveling from U.S. special operations bases in the Middle East.”
DOD’s slow movement on the issue is seen as a “lack of prioritization of this threat,” even though its Bring Your Own Device (BYOD) policy appears to be at odds with operational security needs (OPSEC).
For context, the Army is phasing out government-issued devices in favor of the BYOD policy above and aims to bridge the gap by mandating a Mobile Device Management (MDM) policy, which it is still rolling out to address some of its security concerns.
It is pertinent to note that even publicly issued devices remain a security risk because they do not disable advertising profiles that enable tracking abroad. These profiles can be purchased online from commercial data brokers by any interested party, including foreign adversaries.
An acknowledgment without a solution for now
The Pentagon noted that its current guidance does not always result in geolocation being disabled, even as it admitted it had “received numerous threat reports of adversary exploitation of commercial location data to target or monitor US personnel in theater”.
Despite this information and warnings being shared in both public and private forums, the Pentagon has yet to develop a concrete solution that fully addresses the problem, even as pressure from Congress intensifies.
This is also not the first time in recent weeks that the US Army has been reported to have dropped the ball regarding its security protocols within its own ranks, with a damning report indicating that as many as 70,000 sensitive files remained exposed in an Open Directory Listing.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
