DoD IG report on mobile apps uncovers serious operational and cybersecurity risks - Mobile Security Briefing 2023.092

The Department of Defense’s Inspector General released a management advisory on 9 Feb 2023 titled “The DoD’s Use of Mobile Applications” (version with highlights). The advisory determined that:

  • “DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies
  • “DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems.

A significant area of risk stems from DoD components offering users mobile apps without security assessments and they found:

many unmanaged applications routinely require access to a user’s contact list, location data, and photo library that could reveal sensitive DoD locations and information. Unmanaged applications could also contain malicious code to record screen activity, log keystrokes, or activate the microphone posing a risk of cyber espionage.

The report goes on to provide specific examples (details redacted) demonstrating the real risks present today.

These are, in my opinion, significant and very overdue findings that are of strategic importance to the national security of the United States. Why? Because war fighters and other personnel in the DoD are just like everyone else: they use mobile apps extensively. However, unlike citizen who are not directly involved in the defense of the United States, the information they possess or inadvertently transmit (i.e. GPS, contacts, etc) can lead to serious risks to both DoD information but also our war fighters.

There are many instances of these security incidents in the news (and many that never see the lights of day) and I’ve included just a few examples include:

  • An interactive map posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the locations and activities of soldiers at U.S. military bases (WSJ)
  • Lethal incident with Ukraine troops in 2016 - Russia was able to hack a phone app developed by a Ukrainian artillery officer to improve his units shooting performance. That hacking proved lethal as malware turned the app into a beacon, allowing the hackers to locate the Ukrainian military positions. (CBS News)
  • Russian operation that successfully targeted at least 4,000 NATO troops in Eastern Europe, including U.S. soldiers to gain operational information, gauge troop strength and intimidate soldiers. Drones with surveillance equipment as well as rogue access points on the ground give Russia the capability to track or hijack smartphones. (WSJ)
  • Navy IG report that app downloaded to personal devices and the vulnerable software potentially puts Marines and sailors at substantial risk by hackers and sophisticated near-peer rivals like Russia, who could hack the devices in an effort to glean sensitive battlefield information or location data.
  • Researchers use a beer app to track the military and CIA (Popular Mechanics)

The Management Advisory goes on to make 16 recommendations, 14 of which they “consider unresolved because management officials did not fully address or did not respond to the recommendations.”

While the advisory does not contain all of the recommendations, the recommendation to periodically vet mobile apps remains contested. DoD IG responded to the DoD CIO’s push back with:

Although we acknowledge that DISA assesses applications before adding them to the application stores, DISA does not have a process to periodically review the list of authorized unmanaged applications and remove those applications from the list that do not have a justifiable need, have known cybersecurity risks, or are banned by the DoD.

This topic is obviously an area where I am an expert and can validation that continuous vetting of mobile apps is possible via automation and software-assisted penetration testing. If you’d like to learn more, please contact me on LinkedIn or through my company’s (NowSecure) contact us page.