A beer and pub-rating app built off the back of Foursquare’s location-tracking API poses a risk to the security of military and intelligence personnel, according to legendary OSINT website Bellingcat.
Untappd 'has over eight million mostly European and North American users, and its features allow researchers to uncover sensitive information about said users at military and intelligence locations around the world,' wrote Bellingcat’s Foeke Postma in a fascinating guide to using the app for tracking down people of interest.
Bellingcat is an open-source intelligence and investigative journalism website. Its most famous contribution to the world was identifying the Russian military personnel who shot down Malaysian Airlines flight MH17, something that saw Russian hackers target it in revenge.
Untappd’s concept of operations is simple. You go to the pub and drink beer. During the beer-drinking process you take a picture of your beer with your smartphone and rate it. You can also rate the pub and leave comments. To do these things you need to register an account and provide some personal details – or log in with Facebook.
“Untappd users log hundreds, often thousands of time-stamped location data points. These locations are neatly sorted in over 900 categories, which can be as diverse and specific as 'botanic garden.' 'strip club,' 'gay bar,' 'west-Ukrainian restaurant,' and 'airport gate.' As the result of this, the app allows anyone to trace the movements of other users between sensitive locations,' wrote Bellingcat’s Postma.
All you need to do to deploy Untappd as an intelligence-gathering tool is use the app through its normal user interface. With a little knowledge of how the app works plus access to online map websites that list pub, bar and restaurant details, it’s scarily simple to find people who probably shouldn’t be easily findable.
So we put it to the test
Using Bellingcat’s techniques, The Register was easily able to identify someone who enjoyed a few pints over the years at hostelries close to, among other places: GCHQ Cheltenham; the Atomic Weapons Establishment base at Aldermaston; an Army base at South Cerney in Gloucestershire; and his regular pub crawls around his hometown, which we are not naming.
The person concerned used his own mugshot as his profile picture on the app. Although Untappd only displays users’ first names and initials, this particular one used his surname as part of his username, so the app displayed 'Joe B. (bloggs123)' on his profile. It was a trivial step from there to find him on Linkedin (with the job title 'analyst') and cross-match that against postal address records for his name in his hometown.
Looking at pubs and bars near the Royal Navy nuclear submarine base at Faslane, up in the lochs of western Scotland by Glasgow, proved equally fruitful. Putting himself into the mindset of a thirsty sailor looking for the nearest drinking establishment, your correspondent soon identified a cluster of bars within easy staggering distance of Helensburgh railway station, the first stop up the line from Faslane.
From there it was simple to look through recent Untappd check-ins at those bars and identify a US Navy nuclear submarine officer, complete with mugshot. His favourite establishments included on-base bars at a US naval station in Norfolk, Virginia, USA; bars next to naval bases in Spain; and 'Naval Base San Diego', included as an actual check-in location on a beer-rating app.
From a casual browse of the submariner’s friends list on the app, your correspondent found the profile of a woman who drank in the same bars at the same time as the man himself. Her profile picture on Untappd included children.
While the app itself is harmless, this ought to be a clear lesson for anyone in a sensitive job: do not use social media, and if you’re going to use social media anyway so you can have a normal life outside work, try not using it in a way where you pinpoint your precise location right next to your sensitive workplaces. Careless tagging, could, in some circumstances, cost lives. ®