Determined to keep track of their guns, some U.S. military units have turned to a technology that could let enemies detect troops on the battlefield, The Associated Press has found.
RFID, as the technology is known, is infused throughout daily civilian life. Thin RFID tags help drivers zip through toll booths, hospitals locate tools and supermarkets track their stock. Tags are in some identity documents, airline baggage tags and even amusement park wristbands.
When embedded in military guns, RFID tags can trim hours off time-intensive tasks, such as weapon counts and distribution. Outside the armory, however, the same silent, invisible signals that help automate inventory checks could become an unwanted tracking beacon.
The AP scrutinized how the U.S. armed services use technology to keep closer control of their firearms as part of an investigation into stolen and missing military guns — some of which have been used in street violence. The examination included new field tests that demonstrated some of the security issues RFID presents.
The field tests showed how tags inside weapons can be quickly copied, giving would-be thieves in gun rooms and armories a new advantage.
And, more crucially, that even low-tech enemies could identify U.S. troops at distances far greater than advertised by contractors who install the systems.
Which is why a spokesman for the Department of Defense said its policymakers oppose embedding tags in firearms except in limited, very specific cases, such as guns that are used only at a firing range — not in combat or to guard bases.
“It would pose a significant operations security risk in the field, allowing an adversary to easily identify DOD personnel operating locations and potentially even their identity,” Pentagon spokesman Lt. Col. Uriah Orland told AP.
Spokespeople at the headquarters of the Air Force and Army said they did not know how many units have converted their armories.
AP found five Air Force bases that have operated at least one RFID armory, and one more that plans a retrofit. Executives at military contracting companies said many more units have sought proposals.
A Florida-based Army Green Berets unit, the 7th Special Forces Group, confirmed it uses the technology in “a few” arms rooms. Special forces soldiers can take tagged weapons into the field, said Maj. Dan Lessard, a special forces spokesman. A separate pilot project at Fort Bragg, the sprawling Army base in North Carolina, was suspended due to COVID-19.
The Navy told AP one armory on a base up the coast from Los Angeles was using RFID for inventory. Then this week, after extended questioning, spokesman Lt. Lewis Aldridge abruptly said that the technology “didn’t meet operational requirements” and wouldn’t be used across the service.
Momentum for RFID built within the Air Force after a 2018 case in which a machine gun disappeared from the 91st Security Forces Group, which guards an installation that houses nuclear-tipped missiles. Authorities recovered the weapon, but the incident reverberated across the service.
With Air Force commanders looking to bolster armory security, defense contractors offered a familiar technology — one with a military pedigree.
The origins of RFID trace to World War II and the development of radar. In the U.S. military, use grew in the 1990s, after the first Gulf War showed a need to untangle vast supply chains of shipping containers.
The U.S. military is not alone in employing RFID for firearms management: Government armories in Nigeria, Saudi Arabia and elsewhere have been outfitted.
Armory conversions cost thousands of dollars, and sometimes more. Convenience is a big selling point. Instead of hand-recording firearm serial numbers on paper or scanning barcodes one-by-one like a cashier, an armorer can read tags in a rack of firearms with the wave of a handheld reader — and without having to see each weapon. The tags tucked inside don’t even need batteries.
Contractors that retrofit armories say tags can be read only within a limited range, typically a few dozen feet or less. But in field testing for AP, two prominent cybersecurity experts showed that a tag inside a rifle can be read from significantly farther, using inexpensive components that fit inside a backpack.
While the hackers who devised the experiments observed U.S. government restrictions on transmitting signals, enemies who would not be so constrained could detect tags miles away, they said.
Some within the military share the tracking concern.
The Marine Corps has, according to a spokesman, decided across the service not to tag guns.
“The use of RFID tags on individual weapons systems increases the digital signature of Marines on a battlefield, increasing the security/force protection risks,” said Capt. Andrew Wood.
A top weapons expert from the Corps said he saw how tags can be read from afar during training exercises in the Southern California desert in December 2018.
“RFID tags on tanks, weapons, magazines, you can ping them and find the disposition of where units are,” said Wesley Turner, who was a Marine chief warrant officer 5 when he spoke in a spring interview. “If I can ping it, I can find it and I can shoot you.”
The Air Force and Army did not answer detailed questions about use of the technology in firearms. In written statements, spokespeople said unit commanders can add RFID systems as a further layer of accountability, but no service-wide requirement is planned.
Policy experts within the Office of the Secretary of Defense appeared unaware that the services have been tagging firearms with RFID.
Asked why service branches can field a technology that Pentagon planners consider so risky, Defense Department spokesman Orland first said that the services told the Pentagon they are not tagging guns due to security concerns.
Informed that AP found units which acknowledge using the technology, the Pentagon revised its statement and said it allows service branches to explore innovative solutions. The Defense Department “tries to balance pre-emptive prohibitions due to current security risks with flexibility to adopt new technologies when they mature and those risks decrease,” Orland said.
HACKERS ON THE HUNT
The two hackers had locked onto their target: The rifle held by a man walking away from them under the scorching summer sun.
“Still reading, still reading, still reading,” called out one, Kristin Paget, whose prowess has landed her jobs at tech titans including Apple and Tesla — as well as the nickname “Hacker Princess.”
Here in California’s San Joaquin Valley, in a sloping field surrounded by almond orchards, Paget and her hacking partner Marc Rogers were testing the limits of an RFID system they’d cobbled together for about $500. To see how far they could detect a tag in the rifle, they were telling the man, firearms trainer Michael Palombo, to keep going.
By now more than half a football field away, the hackers had to shout or wave hands to communicate.
Because the hackers were following Federal Communications Commission regulations that limit the power of radio signals, their antenna lost the tag at 210 feet (64 meters).
That is nowhere near the farthest distance possible, according to Paget. She theorizes that a reader with enough of a power boost could detect an RFID tag on the outside of the International Space Station, 250 miles (402 kilometers) above.
What’s more, Paget said, it doesn’t take a Chinese or Russian cyber army to take advantage — a tinkerer with YouTube access could learn the needed skills.
“It’s one of those situations that in the security world we say it keeps honest people honest, or it’s secure unless there’s an attack,” said Paget.
Paget warned publicly about the vulnerabilities of RFID in 2010, during presentation at the annual DEF CON hacker convention. From a stage in Las Vegas, Paget broke down a test that read a tag 217 feet (66 meters) away.
Dale “Woody” Wooden, who at the time was part of naval special warfare, saw that presentation and warned fellow service members.
“If the disease is missing weapons and the cure is RFID tags, then you have a cure that is worse than the disease,” said Wooden, who after 20 years in the Navy founded Weathered Security, which teaches digital protection to the military and law enforcement. “They’re prioritizing convenience over service member lives.”
In the California field tests, Paget and Rogers were prepared to demonstrate what they see as other vulnerabilities created by putting RFID in firearms. They thought about showing how a tag could trigger a roadside bomb, but settled on something more mundane: inventory checks.
One benefit of RFID is that it can reduce daily weapon count drudgery. Instead of cataloging dozens of guns one-by-one, an armorer at the end of an aisle can read all their tags at once.
Rogers demonstrated his doubts by showing how a thief could defeat the system.
Aiming his RFID reader at a rifle inside a hard carry case, Rogers replicated the rifle’s tag with the lid still closed. Palombo then removed the firearm and Rogers put the cloned tag inside. As a clone, that tag had all the same data as the rifle’s tag — and indeed, with the case again closed, the RFID reader was fooled into thinking the original tag, and thus the rifle, was still inside.
It took Rogers less than two minutes.
“It’s the ultimate false sense of security,” said Rogers, who designed the hacks on the TV show “Mr. Robot” and is now vice president of cybersecurity at Okta. “It lists all the weapons and tells you that they’re there, but you’ve never actually seen the weapon.”
Executives at two companies that have installed RFID armories at Air Force bases agreed that a corrupt insider could trick the technology.
“RFID is not truly an anti-theft system,” said Cody Remington, president of Enasys.
The executives also said they had never heard anything like the 210 feet (64 meters) that the hackers achieved.
Remington suggested there might be ways to mitigate the risk, but said he deferred to the Pentagon. “Our expertise certainly isn’t on the battlefield,” he said, “our expertise is inside the buildings and tracking where items are.”
Another executive said he had been hearing the concern about troop tracking for years. Eric Collins, the CEO of Trackable Solutions, said it wasn’t a real life problem because a reader would need a stronger power source, and even then couldn’t exceed several dozen feet.
Collins said RFID in weapons poses “absolutely no risk at all,” especially if the guns stay on base.
He said he didn’t believe a tag could be detected from more than 100 feet (30 meters), making the Pentagon’s security concerns invalid. “The leadership needs their staff to give them better guidance,” Collins said, “because that’s not good guidance.”
THE LURE OF RFID
RFID is a relatively expensive solutions for armory management, but the payoff is enticing.
Consider normal inventories. Between physical inspections and voluminous paperwork, counting all the guns on just one base can stretch to days or even weeks. Meanwhile, time seems to stop when a weapon is lost or stolen, as the installation shuts down and search parties launch to find it.
RFID offers a simpler, more efficient system. Which is why two airmen went to an Air Force 2020 Innovation Rodeo — an ideas competition patterned after the TV show “Shark Tank” — to pitch a project to a panel of senior officers.
The airmen offered another scenario, one service members dread and that RFID promises to eliminate: A thousand troops suddenly need to deploy overseas, fast. To get the weapons they will carry, each must wait in a line that snakes around the building and barely seems to move.
“We need to get on board with the 21st century,” Staff Sgt. Nicholas Mullins said from the stage.
Though the proposal didn’t win that competition, with the support of another federal program it found a home at an armory for security forces that patrol Eglin Air Force Base in Florida’s Panhandle.
Open with “full operational capability," the RFID armory is a success as promised, according to spokeswoman Jasmine Porterfield. The new system cuts inventory time in half, limiting the need for two armorers and creating more schedule flexibility and training opportunities.
The maximum distance tags can be read, according to experts on the base: about 8 feet (2 meters).
LaPorta reported from Hickman, California, Pritchard reported from Los Angeles, and Hall reported from Nashville, Tennessee. Also contributing were Serginho Roosblad in San Francisco and Martha Mendoza in Santa Cruz, California.