Despite knowing for a decade that commercial location data on smart phones could be used to track U.S. military personnel, the Pentagon did not neutralize the potential threat. Now, some foes are following through, according to a new report.
The Defense Department acknowledged to Congress that troops now fighting in the Iran war had been targeted using the data, WIRED noted. The military stated that it "has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater."
The declassified document was released by U.S. Senator Ron Wyden, D-Oregon.
The vulnerability continued to exist through the start of the Iran war despite a 2016 presentation by a government contractor to senior military officials at the Joint Special Operations Command. In fact, the presentation has been public knowledge and was first reported on in 2021 by the Wall Street Journal.
In 2024, journalists tested the ability to track the movements of U.S. military personnel at bases in Germany. The journalists were able to use a free sample of location data from a U.S. based broker. From that data, the journalists followed 12,313 devices that spent time at or near 11 military sites.
Wyden and other lawmakers have now sent a letter to the Defense Department demanding to know how commercial location data could still be a threat to U.S. troops more than 10 years after the problem was first recognized.
"Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes," reads a passage of the letter.
"That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DoD leadership's failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts," it adds.
The military did say in its April communication to Congress that they were in the process "migrating government-issued mobile devices to a new Mobile Device Management Server which will allow for location services to be completely disabled." The migration was expected to be completed in May, months after the Iran war began in February.
However, lawmakers expressed dissatisfaction with the military's response to the problem.
"DoD has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men and women in uniform. That is simply unacceptable," the letter states. "DoD must immediately adopt common sense cyber protections to prevent the sale of location data that can undermine national security and risk the lives of U.S. personnel."
