The commander of the 504th Military Intelligence Brigade, Fort Hood, TX (504th MI) is an official member of the “unintended consequences” club. The 504th MI commander authorized the creation, distribution and use of an application which was ordered to be placed on every brigade member’s smartphone. Just recently, the brigade commander walked that order back.
Why a need for a 504th Military Intelligence Brigade application?
The application, “was developed out of need and request from unit members to have consolidated, timely information about unit events, training and other relevant events.” Makes sense to most, especially within a closed ecosystem.
The brigade did what any entity would do in developing an app: they went and found a contractor with a track record of creating similar apps – Straxis LLC of Tulsa, OK. A statement sent to the brigade on November 6th assured all that “504th senior cyber security technicians and Straxis work closely together to ensure all 504th app user information is protected through tailored security protocols specifically designed for our military intelligence unit.”
Not being present during the contractor selection process, we can’t comment on the due diligence. We do note, that a November 14 visit to the Straxis Technology website sent off the warning klaxon.
The site has not implemented the most basic of security protocols: SSL certificate – HTTPS. This writer ran the site through a number of tests, all returned the same report: No SSL certificates were found.
But let’s step through the lack of SSL and give them the benefit of the doubt. Straxis suggests they do these type of projects day in and day out. The list of universities for which apps have been created is impressive (Kansas, Vanderbilt, Boston College and more).
App Permissions: Know Before You Download
Taking a peek at the app’s permissions we see a list of actions which gives one pause. Following installation, each brigade member is permitting the app to take a plethora of action on each unit member’s smartphone (not U.S. Army issued smartphones, rather their personal smartphones).
- Calendar: The calendar may be read and modified
- Contacts: Your contacts may be read and modified
- Location: Precise GPS location
- Phone: Status and identity (of device)
- Storage: Modify or delete SD cards AND read USB storage
- Other: Prevent phone from sleeping; full network access; view network connection; receive data from internet
- And: The 504thMI may automatically add additional capabilities
The troops protested being ordered to allow the 504th into their personal devices and their personal life. Had the devices been U.S. Army issued devices, the issue of personal information intrusion would have been mitigated. Service members complained that intimate photos from their spouses, their contacts and their location were all being availed to the 504th MI through the app.
OPSEC question: What were they thinking?
The existence of an app for use by a U.S. Army entity – especially a military intelligence entity – causes one to scratch their head, especially given the number of OPSEC alarm bells that should have been ringing during design and beta.
Downloading the app from Google Play or the Apple Store (global access) allows anyone to download and dissect the app, including adversaries. In addition, they can see how many times the app has been downloaded, providing a nice head-count as to the number of individuals a compromise of the application would affect.
Basic OPSEC dictates compiling the location of all personnel (or at least their phones) requires that this information be protected. Imagine a member of the 504th MI being detailed to a special operation and the app is phoning home with his precise location, which isn’t where the 504th MI is currently deployed. Defeats the need-to-know principle, while also potentially providing an adversary operational information on personnel deployment.
In addition to the security concerns, the privacy concerns were valid, particularly concerning the reach into personal data required by the app. Storage access, both SD card and USB storage – isn’t that where personnel place their family and personal photos?
It would appear the genesis of this app was wrapped in good intentions and efficiency.
Look inside and what might be acceptable in the university environment, where a trade-off of privacy and security for convenience may be perceived as having little consequence, doesn’t fly when applied to national security.