U.S. Soldiers Leak Nuclear Info Via Flashcard Apps

Posted inApplication Security, Cyber Security, Information Security, Security

U.S. soldiers used flashcard apps to study and store sensitive nuclear stockpile information. They failed to make their profiles private, exposing the information stored in the apps.

When it comes to the security of our country, we put a lot of faith in our government and military. Our armed forces are truly a force to be reckoned with, which is why the United States is looked to as a peacekeeper, why we are often called in to moderate discussions between adversarial countries. Our cyber-defenses are top-notch, too, fortified stronger than Fort Knox to give threat actors an incredibly infinitesimally small shot at getting past those defenses. However, if a hacker would get the credentials of a ranking military member, all of that security means nothing. Which is why it’s surprising to learn that U.S. soldiers used public-facing flashcard apps to study and store information on our nuclear stockpile.

According to Foeke Postma, a researcher with Bellingcat, Bellingcat discovered the problem when doing a routine search using military acronyms. The searches came back with flashcards from apps like Chegg, Cram and Quizlet, where the researchers found information about bases in Europe where U.S. nuclear weapons are likely located. They also found secret codes, passwords and other information about security processes and protocols. The soldiers would use the apps to study and memorize the information, but didn’t set their profiles to private so their usernames and photos were public-facing. When you can match profile information across platforms, it’s not hard to figure out who people are and what information they might have.

Bellingcat spoke with Dr. Jeffrey Lewis, founding publisher of Arms Control Wonk.com and Director of the East Asia Nonproliferation Program at the James Martin Center for Nonproliferation Studies, who said, “secrecy about US nuclear weapons deployments in Europe does not exist to protect the weapons from terrorists, but only to protect politicians and military leaders from having to answer tough questions about whether NATO’s nuclear-sharing arrangements still make sense today. This is yet one more warning that these weapons are not secure.”

The Pentagon scrubbed some of the flashcards from the web, but didn’t get all of them. Vice’s Motherboard says that many are still archived on the Wayback Machine.

This is a serious problem. Some of the flashcards had been publicly visible since 2013 and some were as recent as April 2021. Even after scrubbing what they could, it’s likely that the Pentagon forced all soldiers to obtain new credentials, forced units to alter code words and secret phrases, and reset anything that could possibly be attached to one of these cards. So now, everyone not only has to learn a new set of security protocols, but they have to figure out a new way to study and remember them. 

Having our nuclear weapons exposed, especially those stored overseas, is a serious threat to our country’s security. This threat was brought to us by our own soldiers, and it could have been entirely prevented with proper monitoring and training. Our soldiers are really good at what they do. The best in the world, in fact. But cybersecurity is not their forte, which is why it is so important that they are trained properly. There should be set ways to study the sensitive information they need to know without using an internet-facing application. And if it must touch the internet, then the users should be taught how to protect that information. 

Technology and its security are not new, but most people still do not understand the risks of using the internet. Most people do not know how to really secure their home networks, let alone that their mobile device doesn’t come with its own security or antivirus software. It’s likely that some do, and some will not use public-facing apps to store sensitive information. But it’s better to assume that no one knows what they are doing and train them than to assume they do and have a breach. This is applicable in every industry, not just the military. 

Business leaders need to take note. If our military is making mistakes like this, it is incredibly likely that someone at your company is making your business insecure. They don’t even know they are doing it, either. So find an expert to come in and train them and you, make sure everyone understands what is okay and what is not. Write a new internet/cybersecurity policy and add it to your handbook. Do everything you can to keep your business safe from threats.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY