HOPSEC: Beer rating app could pose a military security threat

A bottle of Red River Brewing Company's Fear the Dark sits on the brewery bar in Shreveport, La., March 16, 2019. Open source researchers with the group Bellingcat used a beer app called Untappd to find details about users from the military and intelligence communities, said a report released Monday, May 18, 2020.


By CHAD GARLAND | STARS AND STRIPES Published: May 19, 2020

Tapping into a beer rating app allowed researchers to track military and intelligence personnel, including some who checked in at a military base that hosts a CIA training facility known as “the farm.”

Users of Untappd, a smartphone app for beer lovers, also posted photos that showed debit cards, military ID cards, locations of fighter jets and possibly sensitive military documents, the open-source research and investigative journalism group Bellingcat reported Monday.

The app encourages users to log what they’re drinking and where, and lets them rate their favorite sudsy drinks and discover new ones. Using their phone’s geolocation, they can check in to drinking establishments or discover other nearby bars and restaurants.

But with some creativity and “a little bit of digging,” those interested in snooping can use those same features to discover military posts and other sensitive sites, as well as the people who frequent them.

“Examples of users that can be tracked this way include a U.S. drone pilot, along with a list of both domestic and overseas military bases he has visited, a naval officer, who checked in at the beach next to [Guantanamo Bay’s] detention center as well as several times at the Pentagon, and a senior intelligence officer with over seven thousand check-ins, domestic and abroad,” wrote Foeke Postma, a Bellingcat researcher and trainer who authored the report. “Cross-referencing these check-ins with other social media makes it easy to find these individuals’ homes.”

Untappd shows nearly 600 unique visitors on its Ramstein Air Base page who have rated more than 2,600 beers — not including other establishments on base that have their own pages.

One user highlighted in the report checked in at the Duck and Cover bar at the U.S. Embassy in Kabul and the NATO coalition’s military headquarters in the Afghan capital.

Another user checked in three times at Camp Peary, the CIA’s covert training facility in Williamsburg, Va. The user posted photos showing features of the base that could be matched to a satellite image for geolocation.

The Defense Department provides broad social media guidance to its personnel but does not generally focus it on specific platforms or applications, said Lt. Col. Uriah Orland, a Pentagon spokesman.

“Social media platforms pose numerous threats to DOD personnel due to the collection and aggregation of location and personal information, in addition to information posted by social media users,” Orland said via email.

Bellingcat found in earlier research that military users were unwittingly sharing potentially sensitive location data through fitness apps, leading the Pentagon to restrict their use in operational areas.

“Untappd differs in three crucial ways,” Postma wrote. “It has decent privacy settings, as profiles can be set to ‘private’ easily. Users have to consciously select locations they check in to. Most importantly, private residences are not registered unless a user has added their own home.”

The fitness app report was not published until the company that operates the app had made the data inaccessible and changed its privacy standards, Postma wrote. With the beer app, the “onus is on the user” to protect their data, he wrote.

But, as might be expected with an app built around alcohol consumption, users may not be exercising their best judgment while posting, the research found.

Photos posted on Untappd “tend to focus a bit more on tables or desks where users place the bottle, and … might be taken by slightly inebriated users a bit more often,” Postma wrote.

Some uploaded photos showed a debit card with its numbers visible, plane tickets and military hardware.

At least one showed “documents on military matters, clearly not meant for public consumption,” Postma wrote. They were published in the report but covered with red boxes and the words “YIKES” and “Don’t upload this stuff.”

Twitter: @chadgarland

A pair of screenshots from the app Untappd show the venue page for Ramstein Air Base, left, and part of a user?s check-in history showing check-ins at locations in Afghanistan, right. Open source researchers with the group Bellingcat used the app to find details about users from the military and intelligence communities, said a report released Monday, May 18, 2020.