The Pentagon Restricts Use of Fitness Trackers and Cellular GPS Devices for Soldiers

[cageymaru]

The Pentagon has taken notice of reports that fitness trackers can be used to easily track and spy on FBI agents, nuclear technicians, and other employees working at sensitive bases. This is due to the devices tracking the user's route and posting it to social media in addition to a lack of encryption on account IDs and data streams. The Pentagon has created a memo detailing the "significant risk" GPS locating software on cellular phones and the fitness trackers pose as security risks. The devices will be required to be turned off in certain operational areas.

Army Col. Rob Manning, a Pentagon spokesman, said it's a move to ensure the enemy can't easily target U.S. forces. "It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide," Manning said.

 

[scojer]

It's only been 7 months since this became public news?. That's a long time to get all the layouts out there.

 

[Zarathustra[H]]

This is due to the devices tracking the user's route and posting it to social media in addition to a lack of encryption on account IDs and data streams.

Hmm.

As far as posting location data to social media goes, this is an option. I've never had my devices post anything to my social media. My location data is pulled to my fitbit account though, but that can also be disabled should I choose to do so. This seems to be more user error than anything else.

So, the way my Fitbit devices work, is they sync with my phone over bluetooth, which has been encrypted since 2.1 I believe. Then from there the app on my phone syncs with Fitbit's servers. I've always assumed this data link used some for of encryption. If it doesn't, that is a massive boneheaded oversight.

But I guess I'm just one of those weirdos who whenever I get any new tech or software, first thing I do is go through ALL the settings and make sure they are set to a level I am comfortable with. It's almost unbelieveable to me that people actually use anything with default settings, especially if they are in some sort of clandestine operation.

 

[cageymaru]

Hmm.

As far as posting location data to social media goes, this is an option. I've never had my devices post anything to my social media. My location data is pulled to my fitbit account though, but that can also be disabled should I choose to do so. This seems to be more user error than anything else.

So, the way my Fitbit devices work, is they sync with my phone over bluetooth, which has been encrypted since 2.1 I believe. Then from there the app on my phone syncs with Fitbit's servers. I've always assumed this data link used some for of encryption. If it doesn't, that is a massive boneheaded oversight.

But I guess I'm just one of those weirdos who whenever I get any new tech or software, first thing I do is go through ALL the settings and make sure they are set to a level I am comfortable with. It's almost unbelieveable to me that people actually use anything with default settings, especially if they are in some sort of clandestine operation.

Check out the Polar Flow article. It is linked in the article on the front page.

 

[Zarathustra[H]]

Check out the Polar Flow article. It is linked in the article on the front page.

Ahh, thanks. I missed that one first time around. Only read the AP story.

Still though. This feels like throwing out the baby with the bath water. Banning all fitness trackers because one brand (who isn't even a market leader like Garmin an Fitbit) did nothing about security?

 

[Sonicks]

Ahh, thanks. I missed that one first time around. Only read the AP story.

Still though. This feels like throwing out the baby with the bath water. Banning all fitness trackers because one brand (who isn't even a market leader like Garmin an Fitbit) did nothing about security?

After reading the Polar Flow article that seems like the only option.

No telling how good the security on these things are and now any one of them can be targets for this type of data breach. That's some scary stuff.

 

[darckhart]

What Army Col. Rob Manning really meant to say: We can't have these fitness trackers on military personnel giving away location data because [privacy and security] so we're banning them all. But American Public, you go ahead and keep using them because we don't give a shit about your privacy and/or security.

 

[cageymaru]

Ahh, thanks. I missed that one first time around. Only read the AP story.

Still though. This feels like throwing out the baby with the bath water. Banning all fitness trackers because one brand (who isn't even a market leader like Garmin an Fitbit) did nothing about security?

Think of it this way. If the device's website is hacked and is spewing information about GPS coordinates then it is still compromising the military. So even though "FitBit" might not be doing it intentionally, there is still the possibility of giving away troop movements to the enemy during an operation. Plus Bluetooth can be easily hacked from what I understand.

 

[1_rick]

What Army Col. Rob Manning really meant to say: We can't have these fitness trackers on military personnel giving away location data because [privacy and security] so we're banning them all. But American Public, you go ahead and keep using them because we don't give a shit about your privacy and/or security.

So? It's not the military's job to police the civilian population in any sense of the word. (It's *literally* not their job.) Anyone reading the article can draw their own conclusions about their privacy. At the same time, there's probably nobody interested in finding the best time and/or place to bomb you or me, so there's a different level of security even necessary.

 

[lcpiper]

Hmm.

As far as posting location data to social media goes, this is an option. I've never had my devices post anything to my social media. My location data is pulled to my fitbit account though, but that can also be disabled should I choose to do so. This seems to be more user error than anything else.

So, the way my Fitbit devices work, is they sync with my phone over bluetooth, which has been encrypted since 2.1 I believe. Then from there the app on my phone syncs with Fitbit's servers. I've always assumed this data link used some for of encryption. If it doesn't, that is a massive boneheaded oversight.

But I guess I'm just one of those weirdos who whenever I get any new tech or software, first thing I do is go through ALL the settings and make sure they are set to a level I am comfortable with. It's almost unbelieveable to me that people actually use anything with default settings, especially if they are in some sort of clandestine operation.

Doesn't really matter. Think of it this way, for the last two years, although encrypted and reasonably secure, I still can count approximately 85,000 different cell phones operating from within the base. Then in August, you realize the count has dropped by about 4,000 phones, about the number of soldiers in a Brigade sized element, and there's information in the local papers about a Brigade deploying somewhere. And within a month, somewhere, you find a sudden influx of .... 4,000 phones which although encrypted, several match phones that were active at the base before. By now, you've already identified that it's a Signal Brigade that has deployed, so guess who now has a signal brigade in their back yard.

Even if I don't get an ounce of data off the phones I can still get very valuable intel or confirm other sources. It is a problem and it goes far beyond what some of the fools post on their facebook pages for the world to see.

 

[Zarathustra[H]]

Doesn't really matter. Think of it this way, for the last two years, although encrypted and reasonably secure, I still can count approximately 85,000 different cell phones operating from within the base. Then in August, you realize the count has dropped by about 4,000 phones, about the number of soldiers in a Brigade sized element, and there's information in the local papers about a Brigade deploying somewhere. And within a month, somewhere, you find a sudden influx of .... 4,000 phones which although encrypted, several match phones that were active at the base before. By now, you've already identified that it's a Signal Brigade that has deployed, so guess who now has a signal brigade in their back yard.

Even if I don't get an ounce of data off the phones I can still get very valuable intel or confirm other sources. It is a problem and it goes far beyond what some of the fools post on their facebook pages for the world to see.

Thanks for explaining. I hadn't thought of it that way.

Thing is, they are not banning all phones though, right? Just fitness trackers. So this problem would remain?

 

[lcpiper]

Thanks for explaining. I hadn't thought of it that way.

Thing is, they are not banning all phones though, right? Just fitness trackers. So this problem would remain?

It depends, a lot of soldiers phones may not work in some world regions, so they buy new phones that will. For instance, most of the world, specially the less developed world, is GSM phone territory, SIM cards and all that goes with them. Frequently multiple little access companies all with their own SIMs you have to buy, and you buy phone cards with minutes on them to pay for your time on network. Change SIMs is common for the guys who's missions are more mobile. So many have their old phones turned off in their luggage somewhere.

My little story was mostly to highlight that the issue is multidimensional. But there remains a very true possibility that someone with a world phone and a fitness tracker could go to a war zone and have their positional data hacked and their identity determined, and their home base located, and many other things. So the DoD looked into it, decided the risk was real, and have issued guidance. The fact that it took them a few months to get to it is probably 50% bureaucracy and 50% due diligence checking it out to measure how much real risk there is.

 

[Zumino Zufeilon]

Thanks for explaining. I hadn't thought of it that way.

Thing is, they are not banning all phones though, right? Just fitness trackers. So this problem would remain?

Yes, but that is a great explanation of exactly how big the SigInt problem is.

No actual government will be working with that level of information, b/c that's easy.

It took Icpiper longer to type that up, than it would have taken to do it, and that's just deploying a Brigade, which nobody will really look for that way (there are easier ways).

Imagine what else is possible.

This whole thing started with the Polar Flow website broadcasting, not being hacked, being broadcast, the running habits of specops teams in certain sites that "don't exist".

So, not only where folks getting intel on where sites were, that we didn't want them to know, they were also getting a minute-by-minute breakdown of certain types of activity that allow for things like ambushes/etc if the site is in a sensitive area.

And that info was broadcast over the internet.

 

[darckhart]

So? It's not the military's job to police the civilian population in any sense of the word. (It's *literally* not their job.) Anyone reading the article can draw their own conclusions about their privacy. At the same time, there's probably nobody interested in finding the best time and/or place to bomb you or me, so there's a different level of security even necessary.

I didn't say it was their job. BUT clearly the military shouldn't be allowing THEIR personnel to use CIVILIAN CONSUMER GOODS without vetting/authorizing the products BEFOREHAND and incorporating them correctly into their system. It;s like BYOD to work: have to go thru some provisioning.

But what my comment DOES say is that any time the government comments on goods like this, the public takes notice on how it will affect their lives as well. You heard them say "Don't buy/use Kaspersky, ZTE, Huawei FOR GOVT USE," but guess what impact that had on the consumer sector? So YES in essence what he is saying is that it's not good enough for us, but he doesn't care if it's good enough for you on a primary device function that affects all that use it.

 

[Crackinjahcs]

Thanks for explaining. I hadn't thought of it that way.

Thing is, they are not banning all phones though, right? Just fitness trackers. So this problem would remain?

Also, many sensitive areas enforce no phones policy. People don't think about their Fitbit/fitness tracker or smartwatch as a device which is attempting to send and receive data. (Or store and upload data later, such as running and biking routes.)

If someone were to look at the publicly available heatmaps for these apps they may see trends of large groups consistently exercising at a specific time and place each day (large target) or a single individual setting a pattern (isolated target). They could also use the data to draw rough maps of installations and building layouts without ever seeing them.

And while most [H]ard users and condition yellow types will check their security settings the vast majority of folks, even many military and DoD types won't. Not to mention software updates that may reset security settings.

 

[IdiotInCharge]

I didn't say it was their job. BUT clearly the military shouldn't be allowing THEIR personnel to use CIVILIAN CONSUMER GOODS without vetting/authorizing the products BEFOREHAND and incorporating them correctly into their system. It;s like BYOD to work: have to go thru some provisioning.

But what my comment DOES say is that any time the government comments on goods like this, the public takes notice on how it will affect their lives as well. You heard them say "Don't buy/use Kaspersky, ZTE, Huawei FOR GOVT USE," but guess what impact that had on the consumer sector? So YES in essence what he is saying is that it's not good enough for us, but he doesn't care if it's good enough for you on a primary device function that affects all that use it.

Well, their off-time is their off-time- and their personal devices and information generally are personal. Obviously there is some vetting and depending on levels of access that vetting could get extreme while remaining totally warranted, but in general, the DoD isn't saying to its personnel that they're not allowed to buy and use that iPhone or Fitbit or whatever in their off time or when working in less sensitive areas.

What they should be doing, however, is to rely on their various IT complexes to vet consumer devices and perhaps (as you mentioned) go through an authorization process, wherein not only are the device(s) under consideration checked, but at a minimum basic privacy settings are also checked, and perhaps even custom firmware or apps loaded to prevent public spills.

Further, I'm actually quite surprised that these fitness tracker vendors haven't pursued government business in terms of information and operations security integration, similar to what Samsung has done by building entire 'work' modes that remain containerized.

 

[lostin3d]

Be interesting if any games come out that just coincidentally have maps that look extremely similar to certain top secret installations. No way to know, but still interesting.

 

[katanaD]

It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide,

um.. the "enemy" whoever that is, already knows pretty well our military placements. The only ones they wouldnt know about would be special operations teams, and LOL.. if they are outted by a fitbit.. well... what more needs to be said

 

[lcpiper]

Be interesting if any games come out that just coincidentally have maps that look extremely similar to certain top secret installations. No way to know, but still interesting.

In my experience I have never seen too many top secret installation. Most of them are restricted areas within larger known, and well protected installations, like the NSA's oldest site is within Ft. Mead Maryland. Picture below;

Layers of real security is usually much better than trying to rely on ignorance to "hide" a site.

 

[lcpiper]

um.. the "enemy" whoever that is, already knows pretty well our military placements. The only ones they wouldnt know about would be special operations teams, and LOL.. if they are outted by a fitbit.. well... what more needs to be said

Nope, not talking about what you are talking about. We have elements of the military that go all over the world on deployments, missions, and training missions. They may leave Ft. Benning, GA. and spend a month in Canada at Camp Wainwright, Alberta, or a month doing Cobra Gold in Thailand, Naval Exercises with Allies, Air Force training with Poland, Military Intelligence missions supporting work in Kirghistan, Support Operations for a special bombing attack on Libya from somewhere I won't mention. Or even a SOF team meeting with a Sheik in a village somewhere in Helmand Province, AF.

He isn't talking about where Fort Hood is ....

 

[IdiotInCharge]

He isn't talking about where Fort Hood is ....

I did think that that implication was pretty funny-

"like, you know stateside bases have signs, right?"

 

[lcpiper]

"Yes Mam"

"Yes"

"But if you can help us out Mam, this is a SECRET Base and so if you don't talk too much about it, it'd be a big help"

 

[Yotano2111]

Really

 

[lcpiper]

Really

OK, a little heavy handed maybe .... over the top

But there is a point to it all. Military Bases are more then just the soldiers, sailors, and airmen.

But here is the real point I would make, what is the point of having a secret facility or installation? I know, your thinking, so the "enemy" doesn't know about it right?

OK, I'll run with that. I have a secret facility that I don't want the enemy to know exists because ....... maybe it's in a country that we aren't known to be so friendly with? Or for some reason the country's population would have a real issue with us being there. This might be a reason.

Another reason might be that what we are doing there requires a certain proximity to another country or location so we don't want them to know that we are getting close enough to something sensitive to be able to watch it, or listen to it, etc.

But as history has shown us, super secret spy bases or ships can be vulnerable because the secret sooner or later gets out, and the measures required to keep it secret make it hard to defend effectively. The Pueblo, for instance.
https://en.wikipedia.org/wiki/USS_Pueblo_(AGER-2)

I'd just argue that anything that requires such secrecy is usually going to be something along the lines of a listening site or observation point. And that these things can usually be done in other ways today so they are falling out of style. Any kind of secret facility today is more likely to be a secret activity on a normal facility, hiding in plain sight in a way.

So I am just wondering what "maps" of such a location are likely to be good for when it comes to games.

Now, I must confess, I just thought of another way to interpret lostin3d's comment. Maybe he didn't mean secret installations as in, it's existence or location is a secret. Maybe he meant a facility or installation that has a mission doing top secret stuff of which there are many. If this is the case then I'll owe him an apology and don't mind making it in the same public venue as I have used to this point.