Adversaries Exploit US Troop Geolocation Data via Ad Profiles
Published
Key Takeaways
- Adversary Exploitation: Foreign actors utilized commercial geolocation data to surveil U.S. troops.
- Policy Vulnerabilities: Personal devices lack strict location-disable mandates in active war zones.
- Infrastructure Upgrades: The Department of Defense said it is migrating to a more restrictive MDM solution.
Lawmakers report that America’s foreign adversaries exploited commercial geolocation data tied to U.S. troops, using it to target or surveil U.S. personnel in the Middle East. In response to this severe operational security failure, Senator Ron Wyden, Representative Pat Harrigan, and 12 other bipartisan members of Congress sent a letter to the Department of War CIO, Kirsten Davies.
The letter, published on Thursday, calls for immediate changes to the smartphone security posture across all U.S. military branches.
Threat Intelligence and Data Brokers
Wyden’s letter explicitly noted that government contractors briefed military leadership back in 2016 about the ease of tracking smartphones owned by military members. “Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” the letter states.
In written responses from April, the Department of Defense (DoD) confirmed that the U.S. Central Command (USCENTCOM) had received multiple threat reports regarding adversary exploitation of commercial location data to target or surveil U.S. personnel in theater in connection with Operation Epic Fury.
Adversaries obtained this sensitive telemetry from smartphone advertising profiles purchased directly from commercial data brokers, according to the letter, which added that USCENTCOM also revealed that it “only rolled out the capability to administratively disable location sharing on smartphones in May 2026.”
Mobile Device Management and Policy Gaps
Currently, the DoD maintains no policy requiring service members to disable geolocation on personal devices in active war zones. Furthermore, on government-issued endpoints, the Mobile Device Management Server disables Personalized Advertising, but Ad Targeting Information remains enabled and can be edited by a user.
To address these security posture weaknesses, the DoD stated it was migrating to a new MDM solution designed to fully disable location services on government-issued devices.
In February, Poland banned Chinese vehicles from military facilities over spying concerns. Reports in 2024 said North Korean APT45 targeted military bases, NASA, and other U.S. critical infrastructure.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular