fbpx

Soldiers with smartphones can be a gift to the enemy

With security risks and data-leaks, why do some serving soldiers bring smartphones on deployment, and how do countries differ?

A few years ago, my husband deployed to Afghanistan where the British Army had categorically banned all soldiers from using their phones. He called once a week at most, and our conversations were stilted and short. It’s hard to share sweet nothings in front of a line of soldiers waiting their turn. All was well until one morning I had coffee with another army wife. Her husband was working in the US Marine Corps Camp Leatherneck, and she got to facetime him every. single. morning. What I’d thought was an iron law of deployment – no personal communications devices for anyone, anywhere, anytime – turned out to be more an evolving set of practices.

Cell phones are wildly insecure. They’re the most vulnerable node in a network designed to generate and exploit user-data and share it with a wide range of actors, from device manufacturers, operating system owners, content-creators, software and app-designers, phone companies and partner networks. And those are just the organizations officially permitted to pull down mobile device data. Many apps leak data continually, as a consequence of either poor design or the user’s failure to install updates. We also have a perennial problem of apps that access and share personal and device data they have collected unnecessarily.

Cell phones use several different families of communications protocol — SMS, MMS, WiFi, Bluetooth and GSM – each with its own security vulnerabilities and unpredictable interaction effects. Then there are the network exploits: network providers use signalling protocols that  have known and more or less unfixable weaknesses. This means that more than half the attempts to tap calls made on 3G networks succeed, while nine out of ten SMS messages can be intercepted.

Attackers can exploit all of these weaknesses. Spyware such as NSO Group’s infamous Pegasus software can allegedly read text messages, track calls, collect passwords, track the location of the phone, access its microphone and camera and suck up information from apps. No wonder so many militaries ban personal cell phones for soldiers in action, while some ban their use altogether.

For soldiers, however, a cellphone can seem essential. These are young people who exercise a lot, often using apps, are typically far from home and often bored — and they really, really like to show off to their friends by posting videos and photographs. But the morale boost of a cellphone can undermine operational security:

  • Researchers for Bellingcat, the open-source intelligence website, used soldiers’ social media posts to forensically trace the entire journey of the Russian military unit that transported the Buk missile launcher, which likely shot down Malaysian Airlines Flight 17 (MH17) over eastern Ukraine in 2014. Bellingcat used painstaking geolocation work on selfies the soldiers uploaded to popular Russian social media platforms VK and Odnoklassniki to determine the whole route. Some soldiers made the job a lot easier by photographing themselves in front of place-name signs along the way.
  • In January this year, during a military exercise in the Mojave Desert, a US Marine Corps lance corporal ‘got his whole unit killed’ – hypothetically — by posting a picture of them on Facebook. Nowadays, every conflict zone is “an electronic warfare-type environment,” said the Marine Corps’ head of education, in a widely syndicated article clearly intended to get the message across the whole US military.
  • But it’s not all soldier selfies. The 2018 Strava case showed that a popular fitness tracker, used by many in the US military and diplomatic services to record their favourite running routes for other app users, had exposed the locations of military and intelligence installations around the world.

Different militaries have varied in their responses, often in ways that seem to track their broader culture and politics. Turkey banned smartphone use by soldiers on-base in 2015, and Russia followed suit in 2019 when its parliament unanimously voted to ban tablets and smartphone use by on-duty armed forces. The Russian law also forbids men and women in the military from sharing information and photos about their service, because this content had been used by others “to shape a biased assessment of the Russian Federation’s state policies.”

A more liberal outlier is China, where the People’s Liberation Army decided in 2016 to limit where and when soldiers on domestic bases can use their smartphones, and only after they realized that the taxi-hailing apps soldiers used to get back at night were collecting personally identifiable location data around military installations. Some bans are specific to location; Indian soldiers along the “Line of Actual Control” between Indian and Chinese-controlled parts of the Himalayas are forbidden to use Chinese apps like Weibo and WeChat. Countries that are more likely to use internet shutdowns also seem more likely to implement blanket-bans on soldiers using smartphones. Turkey, for example, recently blocked access to Twitter during a bombardment in Syria. In India, Kashmir is now in its six-month of a government-imposed internet shutdown.

Authoritarian countries tend to be more absolutist in their policies regarding communications. They also lack the institutional capacity to consistently police their draconian rules, so smartphone bans may be observed more in the breach. Already, Bellingcat has easily identified many Russian soldiers’ pseudonymous profiles, and the weakest link in the chain — as I can attest — is often the proud or just emotionally needy wives and girlfriends who share pictures or insist on frequent phone calls.

The US seems more permissive on communications devices than the UK’s military, based on my experience of a friend’s husband buying and using an iPad on a US base in Afghanistan. One reason could be that US deployments tend to be longer and more frequent. But as our cell phones become increasingly integrated into every aspect of our lives, they represent an increasing threat — which is why the rules are tightening. Since 2018, the US has forbidden GPS-enabled functioning of personal devices on deployment, although this unintentionally hilarious education video – “Don’t end up like this guy”– suggests the ban is more honoured in the breach. Decisions to ban devices altogether, and not just specific GPS functionality on the devices, seem to be determined on a case by case basis. A recent 82nd Airborne deployment to the Middle East that banned all smartphones and devices was sufficiently newsworthy to be reported on CNN.

One factor quietly influencing phones and deployment is geography. Typically, a soldier is deploying to somewhere far away. Distance tends to lower the expectation of frequent contact, and it also complicates the matter of the cell phone service provider. Soldiers from the US or UK who deployed to Afghanistan could, in theory, buy a local prepaid SIM card and put it in their own smuggled phone. This would be a bad move. A unique identifier in the phone, verifiable via a global industry database, would immediately allow the local phone provider to determine the phone’s provenance. With Russian, Iranian and Chinese intelligence agencies widely believed to be perched on Afghan networks, they could build up a picture not just of troop movements but possibly of identified individuals to track when they went home. Following the soldier home electronically doesn’t seem to have happened Afghanistan, but it’s been reported to have happened to NATO personnel in the Baltics, whose families were apparently traced by Russian entities.

Not being able to trust the local cell phone provider can have a big impact, and it can happen even if the conflict is in the military’s own territory. The Kenya Defence Force (KDF) operates in Al Shabab-contested parts of north-eastern Kenya, near Somalia, and seem to have an active feud with Hormuud, the main Somali telecoms provider. The KDF frequently targets Hormuud cellphone towers across the border in Somalia. Al Shabab, which has long been suspected of being close to the cellphone operator Hormuud, returns the favour, frequently blowing up Safaricom towers inside the Kenyan border. This knocks out some of the KDF’s communications, and often happens just before attacks. Researcher Rashid Abdi has suggested that the battles over these cellphone towers could be some combination of a proxy war between the governments of Kenya and Somalia, and the Somali telecoms provider Hormuud using Al Shabab to “gain commercial advantage or to avenge previous attacks” on Hormuud’s cellphone towers. Either way, KDF soldiers cannot reliably and securely communicate with cellphones while on Kenyan turf.

The Israeli Defence Forces’ unusually liberal policy regarding cell phone use during active service may be partly because their soldiers stay relatively close to home and can use their own domestic service providers. A recent alleged catfishing attempt by Hamas tried to tempt Israeli soldiers to share information with fake profiles of attractive young women on social media sites. Like the US Marine whose unit selfie ‘got his whole unit killed’ and became a cautionary tale on the evening news, the thwarted Hamas attack on a known vulnerability – the infinite vanity and ever-hopefulness of horny young men far from home – seems to have been publicised as a lesson for the troops. A widespread ban on personal cell phones in the IDF seems unlikely, not least because in a small country with near-universal conscription, parents are eager to keep tabs on their children during military service.

Military chiefs often focus on the operational security problems of cell phones, but downplay another reason for their disquiet — i.e., soldiers using them to highlight bad treatment or conditions. Soldiers in India and Turkey have reportedly uploaded pictures or videos of bad food or poor shelter.

Even when conditions are fine, cell phones are an escape from military life, and not all countries welcome that. South Korea banned its conscripts from having mobile phones at all during their two years’ service, and rigorously enforced it. But in 2018 the ban was reviewed and partly relaxed as part of a wider effort to reduce the isolation and total control over conscripted soldiers. Now, soldiers are allowed to use cell phones for an hour or two per day in barracks, enforced not by the military itself, but by specialised subscriptions from telecoms providers. Both the conscripted soldiers and their families back home report being happier, and time will tell if lessening the total control over soldiers affects their morale or cohesion.

Enemies will always exploit vulnerabilities – both technological and human. Official policies on soldiers and cell phones will go on evolving as the demands of operational security change, the places they’re deployed to vary, and our expectations about connectedness to serving loved ones develop. And as the rules evolve, the ways people break them will, too.