For millions of Americans, downloading smartphone apps and quickly allowing them access to the phone’s location data has become a daily routine. But for service members and their families, every download can offer U.S. adversaries a chance to threaten their personal safety, information security experts warn.
U.S. Central Command told members of Congress that during Operation Epic Fury, the campaign against Iran, the command “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater,” according to a May 28 letter that Sen. Wyden (D-Ore.) and Rep. Pat Harrigan (R-N.C.), along with several other lawmakers, sent to the Pentagon. The letter expresses alarm that the Pentagon has not disabled the advertising data feature on government-issued Apple and Android smartphones that’s designed to share the user’s location and other data with the commercial ad industry.
Foreign adversaries can easily purchase this information from hundreds of data brokers to figure out where service members live and track their daily habits, lawmakers maintain.
“The Department of Defense has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers,” the letter states.
This isn’t some far-fetched theory, according to information security expert Clayton Swope, a senior fellow at the Center for Strategic and International Studies. Even in this age of cyber awareness, service members and their families don’t realize how easy it has become for foreign adversaries to find and track them. Each time an app is downloaded, users must voluntarily choose if they want the app to share their location and online activity data to deliver personalized ads. When service members click “allow,” it exposes a potential vulnerability.
“This isn’t sophisticated,” Swope told Air & Space Forces Magazine. Anyone can buy advertising data from data brokers and search it with artificial intelligence tools to quickly find users that live in military housing near bases they are surveilling, he said.
Each phone has an identifier that’s associated with the user. Even though it’s supposed to be anonymous, adversaries can figure out a lot by just tracking where the phone is consistently located, Swope said.
“Did it hang out on a U.S. military base? Did it go and hang out in military housing from 10 p.m. to 6 a.m.?” Swope said. “And then you could figure out from that pattern of life.”
“Right now, I don’t feel like people understand this threat enough to know what you’re giving away when you might say yes, allow that app to track me. … Someone might want to target you or your family,” Swope added
Around the same time lawmakers sent the Pentagon their letter, Chief Master Sergeant of the Space Force John Bentivegna’s official Instagram account was hacked with Iranian propaganda—the latest reminder that no one is immune from the evolving and sophisticated tactics of cyber criminals. A hacker tricked Meta’s AI support assistant bot into resetting the account password, according to multiple tech-focused media publications. Experts say the incident may have been preventable by using multifactor authentication, a one-time code sent via SMS.
“Threats we face online are constantly evolving, and no one is immune, from individuals to large organizations,” Bentivegna said in a statement. “Taking simple steps like using strong passwords, enabling multifactor authentication, and staying alert to suspicious activity can go a long way toward protecting yourself and those around you.”
But the recent incidents of Iranians using commercial advertising data to threaten service members goes beyond what happened to Bentivegna, experts say.
“It’s very different than the threat that would come from poor cybersecurity hygiene; it really translates more into the physical realm than when you think of your vulnerability in cyberspace,” Swope said. “It’s taking advantage of information that is available for purchase legally … to do harm to service members.”
CENTCOM told Congress in April that the advertising ID is still not disabled on government-issued smartphones but stated that the Defense Information Systems Agency is currently testing a capability to do so, the lawmakers’ letter states. The command also told lawmakers that it had rolled out a capability to administratively disable location sharing on smartphones in May.
Members of Congress are asking the Pentagon to takes steps to better protect service members such as disabling the “advertising ID on all DOD-issued smartphones and issue a policy mandating that DOD personnel disable the advertising ID on all personal phones brought onto DOD facilities or taken to overseas deployments.”
Wyden’s office told Air & Space Forces Magazine that the Pentagon has not responded to its letter. A Defense Department official said that Pentagon policy prohibits commenting on congressional correspondence.
Retired Air Force Brig. Gen. Gregory Touhill said it’s “perfectly reasonable” for Wyden and other lawmakers to ask Defense Department to explain its plans for handling this problem. Touhill, a former federal chief information security officer who is now at Carnegie Mellon University, estimated that there are roughly 3,000 data brokers operating globally with more than 500 registered in California.
The problem extends beyond government smartphones to personal phones, iPads, smart watches, fitness trackers, and other wearable devices used by service members and their families.
“These are trackable,” Touhill said. “I call that your digital exposure.”
For many years, cyber experts have been saying “hey, this could do this and this could do that, and folks said ‘oh, you guys are just the science fiction naysayers; you go to the default of doom,’” Touhill said, adding that there needs to be a command-level discussion on how to better manage this risk to the force.
“If we don’t educate up and down the chain as to what the risks are and how to mitigate those risks, we’re suboptimizing our ability to conduct the missions in an AI enabled, analytical world,” Touhill said.
Swope said the most “sensible” solution is to disable ad targeting feature on government smartphones. Until that happens, service members should never give an app permission to track them.
“Does that minimize all risk? No, but it buys down your risk every time you click—don’t track me, because that’s one less app that has that data that then could sell it to a third party.”
Swope added that “some of these apps need your geolocation in order for it to function, so there’s still the potential to be exposed. You’re just saying you’re denying them essentially the right to use that in a way that kind of creates this vulnerability through the third-party data brokers.”
