Simple Oversights Expose Military Vulnerabilities
Now this is interesting. Military personnel overseas, by using fitness apps like FitBit, Jawbone and the like, have unwittingly exposed the location of several American bases around the world.
Strava, a company that gathers data from these on these types of fitness gadgets, recently shared an online map (a “global heatmap”) based on 13 trillion GPS data points over two years. As it turns out, however, some among that number provided a clear spotlight on installations in the Middle East and Africa, including more than 50 in Afghanistan who were identified by name based on their jogging routes. A Taiwan missile command center also revealed a security flaw through this data.
Nor is this the first time that unsecured consumer devices have potentially compromised the security of armed forces overseas. Both pro-Russian hackers and the Russian military itself have in recent years been reported leveraging malicious Android apps and surveillance drones to track Ukrainian artillery units and US troop locations, respectively.
It is surprising, though. These are not the first instances of Pentagon and Department of Defense embarrassment caused by the simplest security failures. In 2007, photos taken of brand new Apache helicopters were shared online; through these, insurgents determined the exact coordinates of aircraft within the compound, which allowed them to destroy some of them with mortar fire. Following incidents like this, comprehensive training policies in both operational and information security were implemented, including best security practices on social media and smartphones.
Which is why it’s surprising that such proactive measures did not, apparently, include data gathered by these GPS trackers and similar devices, which have been practically standard issue at several bases since 2013. Thus we have a strange instance where the DoD is seemingly playing catch up on a critical security issue, rather than being out ahead of it. Speaking with Task & Purpose, Pentagon spokesman Major Audricia Harris stated that the “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
Since this past weekend was Data Privacy Day, I thought this was an especially timely story. As the Pentagon plans to review communication device security, it’s a reminder that Internet of Things cybersecurity is still a challenging new realm for even the most capable organizations. Everyone is still prone to fumbles. Although, in this case, Strava offers soldiers a fairly simple solution for the time being: just opt out of data sharing.