The internet is a tricky place, and our devices allow us to outsmart ourselves regularly.
In a recent piece the good folks at Bellingcat (the same team that dissected the Skripal poisoning in the UK by the GRU), took a deep dive into what appears to be a perfectly benign app, “Untappd,” which is used by 9 million beer drinkers around the world. One of the features of the app is to allow the user to “Check in” at their beer-drinking establishment. It might be a brewery, their kitchen, an embassy, military base or secret intelligence facility.
The creators of the app had a simple goal: help users to find good beer. Individuals check-in and provide comments on beers, establishments and rate both. The geolocation data used by the app is pulled via an API using Foursquare – a well established app. Individuals can use the Untappd app to share their observations with various social networks, including Facebook and Twitter.
Establishments can use the app to gin up a customer base by encouraging commentary about their line-up of brews — think of it as a combination of Yelp and Foursquare for the beer aficionado.
OPSEC and Geolocation
The Department of Defense conducted an OPSEC review in 2018 on how the internet of things, specifically apps which collect geolocation data, could be a threat to operational security by providing confirming information to adversaries as to personnel and facility location. The 2018 review was generated following the revelation by Strava Labs that personnel were jogging and that their health and fitness apps were tracking their routes.
OPSEC and counterintelligence briefings abound on the threat posed by personal devices to mission, personnel and facility. Finding Waldo has never been easier when you leave a trail of empty beer mugs.
The Bellingcat review of the beer lover’s app, Untappd, demonstrates to us the need to repeat the OPSEC message again and again. The researchers were able to identify users by name and create a trail of their travels through the various check-in’s they logged on the app or collating the info with other social network postings. Examples culled from Untappd by Bellingcat included:
“U.S. drone pilot, along with a list of both domestic and overseas military bases he has visited, a naval officer, who checked in at the beach next to Guantanamo’s bay detention center as well as several times at the Pentagon, and a senior intelligence officer with over seven thousand check-ins, domestic and abroad. Senior officials at the U.S. Department of Defense and the U.S. Air Force are included as well.”
And while many will smile at some of the identified locations: “Duck and Cover” which is the Embassy bar in Kabul, for example. There are other locales which should raise an eyebrow, including Ramstein Air Base, or the alleged CIA training facility at Camp Perry, VA. In the former, 588 individuals have been checking into the air base, logging their brews and filing photos (including those of military IDs, facilities, and armament).
In the latter, Bellingcat was able to pinpoint the residential building on Camp Perry featured in a posting by a user by collating open source information with the photos and data from the user’s profile and postings.
The Dutch military found their personnel featured as well. The researchers were easily able to identify Dutch military establishments, and then pinpoint the global travels of various personnel who logged their beer drinking at various military facilities around the world.
An app can have the best privacy and security protocols, but if the user is going to post that which shouldn’t be posted and piss away their opsec like they do their beer, then we’ve no one to blame but ourselves when it is exploited by nation states, criminals or terrorists.