Troops’ phones leaked location data to foreign adversaries

Jump to main content

Search

REG AD

Security

Troops’ phones gave away location data to foreign adversaries

Lawmakers push DoD to tighten smartphone controls after adversaries exploited commercial tracking data

Brandon Vigliarolo

Brandon<br>Vigliarolo

Published<br>thu 28 May 2026 // 22:35 UTC

Getting the location of troops at war might be as easy as buying the data from a legitimate business. America’s foreign adversaries have exploited commercial geolocation data tied to US troops, the Pentagon admits, using it to target or surveil US personnel in the Middle East. Despite that, the Defense Department hasn’t exactly moved fast to secure the information, elected officials say.<br>Senator Ron Wyden (D-OR), Representative Pat Harrigan (R-NC), and a dozen other Congress critters sent a letter to DoD CIO Kirsten Davies on Thursday, demanding a change in smartphone security posture among US military branches. Included in the letter is what lawmakers describe as the first public confirmation that commercial location data has been used to target or surveil American troops in active war zones. The information was shared with Wyden’s office in April.<br>The reason for the delay in publishing the information, Wyden’s team told The Register, was due to “markings that restricted public release,” which Wyden reportedly pushed back on, leading to Thursday’s letter and the attached responses [PDF] from the DoD confirming info purchased from commercial data brokers was used to target troops.

REG AD

“USCENTCOM [US Central Command] has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” the DoD’s responses from April indicate.

REG AD

As for how exactly data brokers got access to the data that allowed adversaries to locate troops and their movements, they got it from the same sources as anyone else buying data from a commercial broker: Smartphone advertising profiles.<br>According to the DoD responses included in Wyden’s letter, not only are US military personnel allowed to use personal devices within operational areas, there’s no actual policy that requires servicemembers to turn off geolocation capabilities on their devices when located in active war zones.<br>“USCENTCOM's geolocation risk guidance directs personnel to disable geolocation functionality when not needed; periodically review device and application privacy settings; and limit public sharing of information,” the DoD said last month, while simultaneously admitting that such guidance doesn’t always fully disable geolocation on smartphones.<br>In addition to personally-owned devices, the DoD’s own issued smartphones don’t disable advertising profiles, either.<br>“The Personalized Advertising setting is disabled by group policy on the Mobile Device Management Server,” the DoD told Wyden’s team. “However, Ad Targeting Information is not disabled and can be edited by a user.”<br>That’s not the most straightforward answer, and, when we asked Wyden’s team what it thought of the response, it agreed with our assessment that the Pentagon’s MDM disables the serving of personal ads to users, but doesn’t stop the transmission of device advertising IDs or other associated data.<br>The DoD noted in the response that it’s in the process of migrating to a new MDM solution that allows location services to be completely disabled on government-issued devices and was targeting a completion date of early May, though it’s not clear whether the process has been finished yet. The Pentagon declined to answer any of our questions, only saying it would respond to Wyden, not us.<br>It’s also not clear how effective that MDM migration will be, as the DoD appears to be phasing out government-issued devices in favor of a broader BYOD policy in at least one branch. According to a US Army press release from earlier this month, the branch is targeting the end of this month for the return of Army-managed work smartphones, as “the primary and preferred method for connectivity is the Bring Your Own Device, or BYOD, program.”

REG AD

CENTCOM has reportedly strengthened its geolocation controls in its area of operations; whether the average soldier, sailor, airman, and Marine is complying isn’t indicated.<br>They’ve known about this for how long?!<br>Failure to prevent the exposure of sensitive location data of military assets could be forgivable if it were a new problem, but according to Wyden’s letter, it’s not: The Pentagon likely knew about the issue for a decade.<br>According to the letter, government contractors briefed military leadership about the ease of tracking smartphones owned by military members way back in 2016.<br>“DoD officials have not treated this counterintelligence and force protection threat as a five-alarm fire,” the letter asserts, adding that the Pentagon “has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men...