
DoD: Turn Off Your Fitbit, Garmin, Apple Watch GPS - smacktoward
https://breakingdefense.com/2018/08/turn-off-your-fitbit-garmin-apple-watch-gps-now/
======
duxup
I occasionally did onsite support many years ago for some weird proprietary
equipment.

One military site had the rule that nothing electronic left the main gate site
without being handed over to the guards, processed, and i believe destroyed
before it left (not that you ever saw it again anyway). They were serious...

You drove to the site knowing it would all be gone and a strong warning not to
turn around if you were near the gate because you just remembered you had your
phone in your rental car.

We went through a lot of equipment.

But that site as far as anything I could have done, secure. I don't even know
what the faculty looks like as it was blind folds and guards all the way to
the equipment (well you could see the bathroom....with an MP.. there).

I feel like those kind of policies are the way of the future. There is no
other way at this time.

~~~
userbinator
_I feel like those kind of policies are the way of the future. There is no
other way at this time._

For military, yes. For civil, that's going a bit too far into the dystopian
realm.

~~~
flukus
> For military, yes. For civil, that's going a bit too far into the dystopian
> realm.

Destroying the devices might go a bit far, but there are plenty of jobs that
require things like phones going into a drawer before a shift starts. Not
everyone is always on all the time.

~~~
bigiain
I've got friends who work at places where company policy says that any
electronics you travel to China with can never be connected to the corporate
network again.

They don't destroy the devices, but all travel phones/laptops are "burners"
and get given away instead of ever used for work again.

~~~
allthenews
Why? Couldn't you just format the drives if you were that paranoid? Are they
worried about some kind of hardware bugging or sub OS exploits while the owner
is not looking?

~~~
mohaine
Quite simply yes. A modern "computer" is made up of multiple layered CPUs and
OSs at this point. WiFi, sound, ssd, GPU all often have embedded cpu and
firmware that could get "enhanced" and survive a recore

~~~
bigiain
Hell - even the _batteries_ have embedded cpus and firmware...

[https://www.defcon.org/images/defcon-19/dc-19-presentations/...](https://www.defcon.org/images/defcon-19/dc-19-presentations/Miller/DEFCON-19-Miller-
Battery-Firmware-Hacking.pdf)

(Note slide 116 there - about 7 up from the end: "Attacking the OS kernel")

[https://www.v3.co.uk/v3-uk/news/2099616/black-hat-charlie-
mi...](https://www.v3.co.uk/v3-uk/news/2099616/black-hat-charlie-miller-
explains-apple-battery-hack)

[http://www.karosium.com/2016/08/smbusb-hacking-smart-
batteri...](http://www.karosium.com/2016/08/smbusb-hacking-smart-
batteries.html)

~~~
ridgeguy
In the end, if it runs code, you cannot trust it.

------
lvh
This leaves out an important part: in sensitive areas like a SCIF. All they’re
really saying is that modern smart watches can have similar capability to
phones—we don’t allow those, so we shouldn’t allow the new watches either.
Pretty straightforward.

~~~
dx87
That's not what this article is about at all. Anything that has any sort of
transmission or recording capabilities has been banned inside of secure
facilities for as long I can remember, fitness devices aren't something that
would need to be covered by a new rule. They don't want you wearing devices
that share GPS coordinates because it makes it simple to get accurate
locations of buildings and troop schedules. Instead of blindly firing mortars
into a base, just look for where the GPS signals cluster at night and you
probably know where everyone is sleeping. See a signal that goes from the
troop quarters to the base perimeter, then goes back a few hours later?
Probably someone on guard duty, now you can start figuring out when the shift
rotations happen.

------
okket
Related previous discussion from 6 months ago:

"Strava heatmap can be used to locate military bases"

[https://news.ycombinator.com/item?id=16249955](https://news.ycombinator.com/item?id=16249955)
(267 comments)

------
css
This is pretty old news [0], I wonder why it took this long for an official
statement.

[0] [https://www.wired.com/story/strava-heat-map-military-
bases-f...](https://www.wired.com/story/strava-heat-map-military-bases-
fitness-trackers-privacy/)

~~~
dx4100
Yeah, I remember reading this.

Doesn't this really only apply to devices with GPS?

~~~
wolf550e
MEMS gyroscopes are a useful inertial navigation system that can be accurate
enough. Some intelligence can be gathered with just pedometer.

------
clircle
Title should be "Turn off your Fitbit, Garmin, Apple watch GPS in operational
areas"

~~~
DINKDINK
Attacker: "Yeah so they told them to turn off their GPS devices when they go
into operational areas so we just searched where there were holes in the GPS
data and bingo we figured out the secret base's location."

By producing or removing signal, above what would have occurred normally
information, leaks out of the system.

~~~
bigiain
Check the "hole in the Strava data" maps at the bottom of this article:

[https://charliesavage.com/?p=1173](https://charliesavage.com/?p=1173)

------
saudioger
My favorite is the person who logged a bike ride at Area 51 using strava

------
tokyodude
reading the article about no phones/cameras/mics allowed makes me wonder what
will happen if we ever get to the in eye AR word some of us envision where
there is no turning that stuff on since it's embedded in your head and you're
likely as depended on it as I am on mdn and stack overflow

------
segmondy
One can't even sync Fitbit without the GPS on. I just want to count my steps,
and bluetooth is not enough? For at least Fitbit, the rule should be not to
own one.

~~~
magicalwh
That's because for Bluetooth pairing, Android requires location services to be
on.

It's not fitbit, that's the problem with Android in general.

~~~
segmondy
how come I don't need location services for some of my other bluetooth device?

------
trhway
reminds how both sides - Ukraine and Russia - (as the telecom companies on
both sides were either the same or tightly integrated, technically and
financially, and had [easy] access to real-time tracking data as well as to
registration data) tracked cell phones carried by the soldiers and volunteers
of each other (like a bunch of cell phones of Russian paratroopers moving from
their base in Pskov and coming to Donbass :). Especially during the first few
months of 2014 until the people finally realized that the tracking had been
going on and had actually even been used in real time to direct fire at them.

Also, the leader of Chechnya, Dudaev, was killed in 1996 by tracking his
satellite phone signal -
[https://en.wikipedia.org/wiki/Dzhokhar_Dudayev#Death_and_leg...](https://en.wikipedia.org/wiki/Dzhokhar_Dudayev#Death_and_legacy)
(more detailed and more conspiracy style version - 2nd paragraph at
[https://jamestown.org/program/alla-dudaeva-describes-
being-i...](https://jamestown.org/program/alla-dudaeva-describes-being-
interrogated-by-litvinenko) )

------
DennisAleynikov
The ways of finding out information about militaries is getting more and more
convoluted and hard to prevent

------
sdmike1
So would this preclude anyone with a medical device form working there? say
like an insulin pump?

~~~
wild_preference
Which part of the article makes it sound like they could be talking about
insulin pumps?

~~~
milesvp
The part where insulin pumps are electronic equipment. It's becomming more and
more common for devices like insulin pumps to upload data automatically to
other devices. It'd be hard to get location data I think from glucose logs.
But SoCs are getting more and more features, and an insulin pump that also
tracks steps is not a huge stretch of the imagination, especially if the power
draw was tiny.

~~~
always_good
> The part where insulin pumps are electronic equipment.

That's not a part of the article.

The article and memo clearly focus on geolocation data. Not a feature I can
find in insulin pumps after a cursory search.

~~~
acct1771
Not by default.

An attacker could change that.

~~~
bpicolo
An attacker in the building could just keep geolocation on on their regular
device. That's not the point of this exercise

------
shanxS
I'll go out on a leg and ask - why not brute force and use signal jammer. Or
in SCIF, jam all incoming signals, except for the ones they want to whitelist.
If there is wifi, whitelist devices that can be connected to it.

~~~
lucamoller
A jammer doesn't fix the fact that these devices could still record whatever
when inside the facility and just transmit the acquired data later once the
wearer goes outside.

~~~
userbinator
The point of jamming GPS is that these devices then do not know what their
location is, so the records wouldn't show anything.

~~~
lucamoller
The risk is not limited to location data. Leaking any audio or video could
also be problematic. I also wonder how much location data could be inferred
with accelerometers.

------
Timpy
I'm kind of surprised that they published the memorandum here, especially with
contact information. I suppose I don't see how it would be a security risk, I
just assumed it would have been.

------
Someone
So, it takes the DoD about a month to write such a simple memo? Was there a
preliminary “while we investigate this, turn it off” memo? If not, how, how
does that compare to other countries?

------
joeblau
I thought this was going to be some security issue with GPS in general. This
is really just aimed it DoD employees.

------
amelius
They should hire Amish people ...

~~~
fyfy18
You joke, but I believe I read something about the CIA hiring a lot of Amish.
Compared to the general population, their priorities are different meaning
it’s a lot harder to corrupt them. Unfortunately I can’t find any citations
(maybe it was a comment here?).

------
1996
This is like how cellphones are forbidden in planes because their RF
emissions- unsecure, unworkable and dangerous. Security theater at best.

A proper solution is technological, not social. Selective location GPS
jammers, only letting through a different frequency or encryption for military
GPS.

~~~
JumpCrisscross
> _A proper solution is technological, not social_

If the last decade had a TL; DR, it would be "technology offers second-rate
solutions to social problems." If your soldiers lack the discipline to turn
off their phones on command, you've got a bigger problem than RF leakage.

~~~
Dylan16807
A good solution to people forgetting is to remove the need to remember.

Disobeying is a social problem. Imperfect repetition is not.

