The Department of Defense (DoD) must ensure the confidentiality of military vessels locations by mitigating the use of mobile devices, unauthorized wireless activity and radio frequency (RF) based threats. To identify active device emissions and enhance operational security, Bastille’s wireless intrusion detection system leverages smartphones, commercial satellite networks and advanced geolocation techniques to identify their own RF signatures before adversaries can exploit them. Access the Bastille podcast to hear Scott Stapp, a retired Air Force general and former CTO at Northrop Grumman, discuss airspace security challenges and the need for proactive RF monitoring tools. Discover the importance of implementing device policies, operational security (OPSEC) education and practical solutions like Faraday bags and RF detection systems to defend against wireless threats. Fill out the form to unlock the Bastille podcast and discover how your organization can protect mission-critical environments with wireless intrusion detection systems.
Anthony Jimenez
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Kerasoft production team.
On behalf of Bastille Networks, we would like to welcome you to today's podcast, Cell Phones and Ships. We are joined by Dr. Brett Wachenhorst, CTO at Bastille, and Scott Stapp, CTO and CRO at DEF CON AI, who will be discussing the security risks posed by smartphones on Navy ships.
Brett Walkenhorst
Welcome back to the Daily Threat Podcast from Bastille. I'm your host today, Dr. Brett Walkenhorst. Today we're talking about the risks of cell phones on Navy ships.
We are joined by Scott Stapp.
Scott Stapp
As Brett said, Scott Stapp, I'm a 30-year retired Air Force officer, retired as a general officer back in 2015. I've worked 10 years in the defense industry with Northrop Grumman, retired there a couple years ago as the CTO, and I'm now working in the artificial intelligence world in the venture capital side for a company called DEF CON AI.
Brett Walkenhorst
Great. Thanks, Scott. So let's get into it.
The topic is smartphones on ships. What's the problem? So in general, you can imagine sailors are going to want communication capabilities.
They want to be able to connect with family and friends, but there's a risk to this. So can you help us frame that? What's the issue?
Scott Stapp
So I think it's only become a recent problem, really, when you think about it. And I think everybody understands and knows that the U.S. has had intelligence operations from space we call national technical capabilities. They've known that for decades.
Everybody is aware of it. But that was typically really just the purview of large nation states like the U.S. Very powerful economies. Russia had a little, but not tons, but nothing like the U.S. had. When you start to look at how the commercial world has changed the IT world and comms, when you look at something like a Starlink or you look at what Kuiper is trying to do, where you're talking about thousands of satellites in space that provide communications, that capability has now become much more accessible to our adversaries. So if you look at somebody like China, China actually has more assets in space than the United States does. And a lot of those are devices that will collect and basically be able to do geolocation.
So when you start looking at cell phones, 99% of the time, nobody cares where your cell phone is. When they're in port with their friends, nobody's tracking anything. But if you look at what the, we'll say the FBI, if a crime is committed and the FBI can go back and look through logs and trace where that cell phone was all over the place, they can go back and look and understand what it was.
Our adversaries now have that capability to look at where all of our cell phones are. They may not care about it 99% of the time. I guarantee you they do care where the ship is.
And unfortunately, wherever the ship goes, so do you. So if you're transmitting with a cell phone or you're talking, actually, if the cell phone is actually operating, your adversary has a high likelihood of being able to detect it, geolocate it, and therefore know where the ship is. And it's not just from space.
It is now from, you know, they've had it for a long time from other merchant vessels that can collect. Drones have become a real problem where you can launch them long distance that can do signals detection and geolocation. The real issue for the Navy has been that they want their sailors to have cell phones.
They want them to be able to talk and communicate with home. But there are times during critical operations, they want everything off. And I think most sailors, I think most people do not understand the significance of that.
So in some cases, they may just go to silent mode. Well, they don't know that if you've actually had somebody in, they can beacon your phone to actually communicate, even when it's just in silent mode, and in some cases, even when it's off. So the idea of Faraday bags, putting them in places that are secure is actually really critical.
So it is going to be a problem, not just for the Navy, but everywhere there's cell phones, they will tell you, obviously, where you are, and in some cases, what you're doing.
Brett Walkenhorst
So this is about ROPSEC, and what I'm hearing you focus on is non-cooperative localization because of the ubiquity of sensing platforms out there. So can you talk a little bit more about that? How can, if a phone is beaconing, how do they go about geolocating with these sensors?
And then you talked about like the harder problem is if the phone is in silent mode, how does one go about compromising it to get it to beacon?
Scott Stapp
So very similar, so when you think about how Starlink, because Starlink is a bunch of low-earth orbiting satellites that have to actually pass the comms off between each satellite for every user, it has to know where the user is to be able to do that. So the user is sending a signal up, and the satellites are actually geolocating where that user is. Anytime you want to geolocate anything, you need really three different points, right?
It's a triangulation. With a LEO satellite, it becomes very easy. With GEO satellites, you may only have one, but if the asset is moving over time, you can triangulate it because it is having different locations.
What do you mean? Basically, it will measure each point, and then if they get one other hit from another point, it can actually do some triangulation off those. Got it, okay.
So it actually really is not that difficult to triangulate an RF device. They'll get it into smaller and smaller ellipses. We call them ellipses because you'll have some error with those, but what you need is just enough where they can use other assets to take pictures, who have very broad things to find out where you're at, right?
So our adversaries are constantly, very much like us, we're constantly looking for all of our major military assets, and again, most of the time, we don't care, and we know people are looking at it, but there will be times where the Navy goes into what they call a mission control, and the idea is they'll hide in the weather, and they'll move around so that the overhead systems cannot see them. RF will transit that, and you can still geolocate, and it is interesting that if you have a very large ship like a carrier, where you may have 5,000 people, one person can geolocate the entire ship, right? You can put billions of dollars into how you hide it, and how you move, and how you, because it's a big thing.
It's hard to hide a big aircraft carrier, and they put a lot of effort into trying to, from an offset perspective, not make it just super easy for your adversary to find it. Cellphones can make it just absolutely very easy for your adversary to find that asset.
Brett Walkenhorst
It just takes one, and you can imagine with thousands of sailors, that's a pretty high likelihood that somebody has got a cell phone on them, and it's beaconing.
Scott Stapp
Well, and in some cases, I'll be honest, in some cases, it can be leadership who does it, because I've seen this in commands I've done, that in some cases, you tell your unit what to do, but sometimes you think it's important for you to have it, because you need to be in touch, and do certain things, and in some cases, if they don't understand the vulnerability of that technology, they may have actually just put a vulnerability in itself.
So, it's literally everybody, and some of it is the education, because in the past, our adversaries didn't have this capability, and it is just coming out now, and again, Starlink, Kuiper, some of these things where you have thousands of satellites are good examples of the ability for an adversary to just listen, because what's easier than a com system, which has to actually transmit and move, a RF collection system only has to listen.
So, all it has to do is large numbers of satellites that are just constantly listening, and they don't have to retransmit it.
Brett Walkenhorst
Sure, sure. What about the case where, so we talked about non-cooperative localization, but is there a case for an adversary to want to actively compromise a device, or maybe even on the back end, exploit a network to extract information that the phone was giving up by itself, its own GPS receiver's coordinates, or maybe its inertial sensor information? Is there any use case for that, or is it really just non-cooperative stuff?
Scott Stapp
No, it's a use case for everything. What's really interesting is most adversaries will look at an intelligence collection methodology. 90% of the time, they actually probably know who is assigned to what ships.
They have probably collected and they understand. That's the goal of every military is to understand what their military personnel look like, who's who in the zoo, who's assigned to what. Well, the best time to exploit a cell phone is actually when you're on the land and you're not really in operations.
You're talking to your wife, you're going back and forth, but they know who you are. And very similar, here's what's really funny, is if you think about it, how many spam calls do you get on a daily basis? They get your name, they get your number, they know exactly who you are, and you're getting calls that are directed at you.
Well, our adversaries have that exact same capability. They're just not calling you. What they're doing is they're trying to figure out how to get access to that device.
They know your phone, they know when it goes hot. If you look at typically on a ship, the comms will be encrypted. So the adversary basically won't have access to the insides of what you're talking about.
But that's not true in a commercial cell phone world. You can intercept phone calls all the time. So they can start getting a pattern of life of if they want to target a very specific sailor or a set of sailors, they can start figuring out who the sailor is, who he's talking to within his community, and start understanding what that chatter looks like.
They can then track that specific cell phone device, because it emits a very specific signal, as we all know. And when it goes on the ship, even if they can't get inside it, they can actually detect where the ship is. And then, I hate to say this, is even if you want to basically...
The sailor isn't saying anything. He is probably talking to his spouse, who is knowing where he is and what he's doing. And then the adversary can then exploit the cell phones of those within their closest community to go, oh, my husband said today I'm over here.
So even if it wasn't for the RF, they can typically break in and figure out all the comms that are going on, which is, again, it's just an offset issue, which I think that the military is really trying to educate everybody in the military about the vulnerabilities of IT technologies and what it can do. And so being very careful about not just where you take your device, when it's on, what it's doing, but also what you say. Being very careful about how you talk about operations, even with family members, because you never know who's listening.
Brett Walkenhorst
Yeah, that's classic OPSEC right there.
Scott Stapp
It is classic OPSEC.
Brett Walkenhorst
What you're highlighting is that there's a lot of complex technology out there, a lot of sensing platforms available to adversaries that are changing the game now. And it's not just what you say, but the fact that you have the capability of saying anything can compromise you. That feels different to me.
And you were talking about the educational piece, like, how's that going? I mean, I guess this broadcast is an opportunity for us to educate people, but what does that look like?
Scott Stapp
I think it's a cross, because you don't always want to say what capabilities the adversary has. Some of it can be classified, other things. But what's really interesting is when you're taking something that you have in your daily life, it just becomes a part of you.
I mean, it is really interesting that your cell phone almost, it is a part of your body. Wherever you go, it is more than likely with you. And the second it's off, you're like, oh my gosh, I lost my cell phone, where's it at?
So not having it on you is uncomfortable, which in your normal daily life, that's fine. That makes sense. When you go out in operations, and this is true with ground operations, as well as on ships.
So if you're in land operations, they're going to have similar problems, and they're going to have to figure out how to actually ensure they silence those devices. My guess is over time, they're going to issue every military member a Faraday bag and say, you must use it during these periods, and you must have it on you. And then the question becomes, how do you enforce that?
Because the issue with any rule is it's very difficult to get 100% compliance. Most of us are like, dude, I got 98% compliance, we're good, we're successful. One person can geolocate, right, just one person geolocates your unit, your ship, anything else.
And again, not that we don't trust our sailors, but people forget, they didn't hear the message. I mean, communications is tough. So you need an ability to detect and tell, not for punishment, to go, hey, do you realize your cell phone is still on?
Hey, do you realize we can still see the signal? So to rapidly... Listen, if your adversaries can geolocate it, you ought to be doing it yourself, right?
So if you know your adversary is trying to geolocate it, why wouldn't you have your own capability to geolocate it ahead of time to go, nope, we're clean. We know if we can't see it, we know our adversary can't see it. That's really important.
Brett Walkenhorst
Yeah, so let's go through that a little bit in more detail. You talked about Faraday bags and location capabilities. So let's go through methodically, what are the practical controls and policies that we need to have in place?
You talked about, we trust our sailors, we trust our servicemen and women, but compliance by human nature is not going to be perfect. So we need tools to ensure compliance. Let's just go through those in a little more detail.
Let's start with the Faraday bags.
Scott Stapp
So I think in the classified world, they've already done this, right? There's already been memos sent out by two different secretaries in the classified world, both for, hey, we don't want cell phones in classified space, but also there are concerns about this insider threat issue, right? Because guess what?
If the best way to move information out is on an electronic device. So that makes sense in the classified space. I think the messaging becomes more difficult because most people think of the cell phone as something that can move classified information, and it's really not.
It is now this whole OPSEC issue that I don't think everybody has really paid a lot of attention to or thought about. And partly because when you think about it, is if you want to geolocate something from space, and it's primarily going to be from low Earth orbit, even us, we had satellites that actually revisited once every hour. You're not going to worry about somebody geolocating if you have one satellite and it revisits every hour.
Kuiper, again, Kuiper and Starlink, when you have thousands of satellites and everything's revisiting every minute, and you have 20 satellites in view at the same time, our adversaries are doing that kind of stuff. That is an education system that I think we have got to make sure that the senior military understands the risk. I do believe the senior military does understand the risk of that.
I think it does not propagate down rapidly. And when you take away somebody's favorite device, I mean, it is, again, we have become so embedded with our devices. Okay, when you think about just, I hate to say it, high schoolers have not had their cell phones as long as we have had our cell phones.
When you take a cell phone away from a high school device or a cell phone away from a high school student, have you heard the uproar about what are you doing? Right? Adults have had those much longer, have much greater need because they're actually doing all sorts of work and transactions and banking.
And I mean, everything, your whole world is done off that device. Saying you can't use it or have it for an extended period of time can be an emotional event, right? That education and understanding the importance of it, just like when you go out on the ship, I will tell you, every sailor, every Marine, every soldier, every airman, they understand what Ofsec is.
They understand all those pieces. What we have to do is tie Ofsec to what the cell phone does and why it's important. But again, I think the education is important.
But I think you can never get 100% compliance. Anybody who says you get 100% compliance on anything, I think that's kind of ridiculous. And the issue for ships in particular, or even in a land-based operation is one device can geolocate your entire unit or your ship.
So you have to have some policies put in place that could be, no, the military needs to have an ability to detect that. If your adversary is putting money in detecting you, why wouldn't you put money in yourself to detect yourself? That is the signature you're going to emit.
That's what you want to understand. So I think they're beyond the classified space. I think there are going to have to be policies put in place that you want RF detection capabilities on anything that is an operational scenario.
You want to know if you are setting off a signal that somebody's going to see. In the old days, you couldn't burn a fire because your adversary could see it. Back in the 1800s, hey, don't set off a fire.
They policed it. They made sure because one guy who didn't hear it and sets off fire, a campfire, all of a sudden signals everybody where they're at. This is the modern day version of that, which is cell phones are a beaconing system.
Brett Walkenhorst
Yeah. You got to have that self-enforcement mechanism to button it up. And in this case, you're talking about RF detection and localization.
And I think you said it earlier really beautifully. If we aren't doing it, the adversary is. We have to know where our stuff is because if we can detect it, they can too.
So we got to shut it down by self-detection, self-monitoring.
Scott Stapp
Absolutely. And I think a lot of the education is not, it's really the issue is not down and in in the military. They understand a lot of this enforcement is more the issue.
A lot of this education is actually up and out. It's the Hill, right? It is the executive branch in the White House.
It's making sure they understand, hey, you just put literally $10 billion in building an aircraft carrier with all sorts of capabilities and you want to hide and do operations. And for the lack of a detection capability, one $500 cell phone is going to tell everybody in the world where you're at, right? That doesn't seem a good return on your investment.
You might want to invest some money to ensure that when you want to go into emissions control and you want to have zero signature, you have a way to verify that that is true. Because when they think of emissions control, it's all the big radar terminals, they just go power down and everybody powers down and they're not going out and checking every sailor. And I think it is going to be something that they're going to have to actually educate the people up and out, legislative branch, executive branch on the risks of that so that they can actually appropriate funds to make sure that they have that kind of detectability so that they can protect themselves.
Brett Walkenhorst
Well, Scott, this has been really enlightening. Thank you for sharing your thoughts with us. Is there anything else that you'd like to share before we wrap up?
Scott Stapp
No, I think what we're going to see is whether it's cell phones or AI, technology is changing at such a pace that typically what we start to see is the operations of the governments do not operate at the same pace as this technology change. We are going to have to go much faster to stay ahead of it or we will find our adversaries, if they move faster, we will have now a vulnerability. So we do have to learn how to move fast in this world.
Brett Walkenhorst
Thank you again so much for joining us today. If you'd like to learn more about how Bastille helps governments and defense organizations detect and locate unauthorized wireless devices, visit us at bastille.net. Thank you for tuning into The Daily Podcast.
Stay safe, stay aware, and we'll see you on the next episode. Thanks, Scott.
Anthony Jimenez
Thanks for listening. Thank you to our guests, Dr. Brett Walkenhurst, CTO at Bastille, and Scott Stapp, CTO and CRO at DefCon AI. Don't forget to like, comment, and subscribe to Caracast, and be sure to listen to our other discussions.
If you'd like more information on how Bastille can assist your organization, please visit www.carasoft.com slash Bastille or email us at bastille at carasoft.com. Thanks again for listening and have a great day.