US troops deploying to the Middle East told to leave personal devices at home

US military officials fear operational security (OpSec) failures in handling personal devices might put soldiers in danger.
Written by Catalin Cimpanu, Contributor

Amid growing tensions with Iran, the US deployed emergency troops to the Middle East last week.

Before being sent overseas, paratroopers part of the US Army 82nd Airborne Division were told to leave personal devices like smartphones, tablets, and laptops at home, according to CNN Pentagon correspondent Barbara Starr, citing US Army Maj. Gen. James Mingus.

The primary concern was that poor operational security (OpSec) practices might put soldiers in danger and expose military operations, US Army 82nd Airborne Division officials told the Army Times last Monday.

Over the past four days, ZDNet conducted interviews with more than 20 US military veterans who served on active war fronts but who now work jobs in cyber-security firms.

We asked them to put the Army's ban on personal devices into context based on their military experience and cyber-security knowledge and to explain the realistic threats US troops might be facing in a modern theater of war.

Social media might expose troop movements

"I think the primary worry is that people do stupid things online, and various entities have learned to mine social media information quite effectively," said Joe Slowik, a former US Navy Cyber Special Projects Officer, now Principal Adversary Hunter at cyber-security firm Dragos.

"Primary issue is being able to determine movement and possible intentions by tracking persons (and their associated units or functions) based on things like social media posts -- for example, pictures or postings including photographs with geo-tagging enabled," Slowik added.

"From my experience, this would apply to things like knowing US naval vessel port visits in advance, which could enable bad actor planning for when the ship arrives."

Having soldiers reveal details about themselves on social media accounts in their free time is dangerous, especially when deployed in the field. Slowik specifically warns that foreign intelligence services could reach out to groom and cultivate sources inside active frontline troops via social media.

Kidnap, ransoms, catfishing, device theft, device imaging

But there are other dangers.

"Particularly, kidnap & ransom of individual troops would be a unique risk that phones would add to the mix," said Bryson Bort, a former Army officer, who has now gone on to found two security companies, and co-founded the ICS Village non-profit.

Here, catfishing is a particularly dangerous threat. Soldiers who spend their free time on their phones and social media devices could be tricked into downloading malware or revealing details to members of the opposite sex.

Such scenarios have been happening for a few years now. Israel Defence Forces (IDF) soldiers have been tricked numerous times into installing malware or going on dates with Hamas agents disguised as women -- with some soldiers being killed as a result [1, 2].

Another danger of allowing soldiers to bring devices to a war front is that devices could be stolen or imaged by a foreign adversary.

Something like this happened to one of the vets with whom ZDNet spoke, who requested anonymity. The vet described a visit to a foreign state, where his devices were temporarily seized and imaged at a border crossing.

The Strava debacle and the omnipresent threat of location tracking

Mark Waggoner, a vet with ten years Army experience, now a Linux sysadmin for LogRhythm, also warns about another type of threat that comes from allowing actively deployed troops to be active on social media through their devices.

A foreign adversary that manages to link actively deployed US troops to their online personas could then target those online accounts.

"Compromise of individual cloud services accounts could be very useful," Waggoner told ZDNet. "Having a detailed track of every location a device was at through the Google Location service would be a significant piece of intel."

But Waggoner's warning doesn't apply to Google accounts alone. In late 2017, fitness tracking service Strava published a global heatmap with "anonymized" fitness tracking data showing the places around the globe were people liked to exercise the most. The public data, while not linked to individual persons, exposed the locations of several secret military bases.

In theory, once a foreign threat actor has identified an actively-deployed US soldier, they could target any other location-collecting service that the soldier might be using. Adversaries don't necessarily have to go after Google accounts, which are much harder to hack. These days, almost every online service and low-end mobile app tracks your location with a high degree of accuracy.

Stopping OpSec leaks is impossible. Banning devices is simpler.

But the reality is that even if soldiers are careful, there's always an OpSec leak taking place in the most unexpected places. Stopping any possible leaks by not allowing soldiers to carry personal devices while deployed in the field is the most sensible approach, at the current time.

"From an InfoSec point of view, the restrictions make good sense," Waggonar told ZDNet. "Trying to maintain good OPSEC with thousands of these devices would be a losing battle."

And the US military has been aware of the growing threat coming from military personnel bringing laptops and cell phones on war fronts.

A second vet who also requested anonymity said Army officials passed a similar ban on personal devices for soldiers deployed in the Iraq war. The Army even ran a unit tasked with information security, with orders to confiscate and destroy soldiers' personal devices brought to a war front.

This resulted in some soldiers buying unauthorized devices from local stores, some of which were found to be infected with malware.

Cell phone tracking

"Sometimes, soldiers don't know what's good for themselves," a third US Army vet told ZDNet, also requesting anonymity. He then went on to detail the dangers of soldiers' personal cell phones connecting to cell towers in a foreign country, which leaves a digital trace that threat actors could collect and track troop movements in real-time.

"Third-party Foreign Intelligence Entities (FIE) pose a threat to deploying forces and often have more robust capabilities than the adversary the troops are deployed to address," said Andrew Thompson, a counterintelligence and human intelligence specialist with the US Marine Corps, now a manager at cyber-security firm FireEye.

In fact, it was Thompson's employer who exposed a clever hacking operation carried out by Chinese hackers who breached mobile providers all over the world and installed SMS-intercepting malware on their network so they could spy on high-value targets.

It would be expected that Iran would carry out similar campaigns against US soldiers deployed in military zones if it ever came to a direct confrontation with Iran, a country known for its expansive cyber apparatus and hacking capabilities.

"It's important to remember that modern adversaries that possess Signals Intelligence (SIGINT) and Cyberspace Operations capabilities have targeted frontline troops in the past," Thompson said, pointing to Russia's use of cyber-tactics against Ukrainian troops.

The modern battlefield has already moved towards a cyber era. As the world evolves and digitizes, it is becoming more clear that non-secure personal digital devices have no place on the frontline.

"It has become a very real part of the battlefield for intelligence gathering efforts against our troops," a US vet from the Afghanistan front told ZDNet.

The FBI's most wanted cybercriminals

Editorial standards