- The Pentagon has confirmed that foreign adversaries of the US exploited commercially available smartphone location data to track US troops in war zones
- This disclosure comes despite warnings nearly a decade ago about the risks of smartphone tracking by government contractors
- The issue persists because the DoD does not require users to disable geolocation in war zones, and advertising IDs are still transmitted by smartphones even when personalized ads are disabled
Foreign adversaries of the United States have been able to purchase commercial smartphone data that allows them to track troop movements in theaters of war, including the Middle East, due to a lack of oversight by the Department of Defense (DoD), even as the Pentagon has confirmed such incidents.
The acknowledgment comes at a time when lawmakers, led by Senator Ron Wyden and Representative Pat Harrigan, criticized the Defense Department for failing to enforce stricter smartphone security protocols.
They noted that both personal and government-issued devices still transmit advertising IDs that can be used to locate personnel worldwide, in a letter to the DoD's CIO Kirsten Davies.
A decade-long list of concerns
The Pentagon has been made aware of the threat to its operational security and, by proxy, the safety of its soldiers for at least a decade, as noted by Senator Wyden in what reads as a scathing admonishment of its perceived lack of response to a glaring security issue:
"[The] DOD has reportedly known about this threat since at least 2016, when a government contractor briefed Joint Special Operations Command officials and demonstrated the ability to track phones traveling from U.S. special operations bases in the Middle East."
The DOD's slow movement on the issue is being seen as a "failure to prioritize this threat," even as its Bring Your Own Device (BYOD) policy seems at odds with operational security (OPSEC) needs.
For context, the army is phasing out government-issued devices in favor of the BYOD policy above and aims to bridge the gap by mandating a Mobile Device Management (MDM) policy, which it is still rolling out to address some of its security issues.
It is pertinent to note that even government-issued devices remain a security risk because they do not disable advertising profiles that enable tracking overseas. These profiles can be purchased online from commercial data brokers by any interested party, including foreign adversaries.
An acknowledgment without a solution for now
The Pentagon noted that its current guidance does not always result in geolocation being disabled, even as it conceded that it had "received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater".
Despite this information and warnings being shared in both public and private forums, the Pentagon has yet to develop a concrete solution that fully addresses the problem, even as pressure from Congress intensifies.
This is also not the first time in recent weeks that the US Army has been reported to have dropped the ball regarding its security protocols within its own echelons, with a damning report indicating that as many as 70,000 sensitive files remained exposed in an Open Directory Listing.
