$5 Bluetooth tracker in postcard exposes $585M Dutch warship’s location for 24 hours

A tiny, cheap $5 Bluetooth tracker in an ordinary postcard was all it took to expose the real-time movements of a $585 million Dutch warship for 24 hours, with the naval crew completely clueless.

According to The Register, this happened aboard the HNLMS Evertsen, a modern air-defense frigate sailing as part of a NATO carrier strike group. The vessel was operating in the eastern Mediterranean when the Bluetooth tracker slipped aboard.

Meanwhile, the vessel's real-time location was being broadcast to nearby phones via a crowdsourced tracking network. The shocking part is that this breach happened because of a $5 Bluetooth tracker anyone can easily buy online, combined with simple instructions from the Dutch Ministry of Defense on how to mail postcards and letters.

The ministry publicly posted simple guidelines for staying in touch with sailors at sea via letters and postcards. The mail usually skips full X-ray checks, so a Dutch journalist, Just Vervaart, decided to tuck an ordinary Bluetooth tracker into a greeting card and mail it.

Later, the postcard made it aboard the HNLMS Evertsen, started pinging the crew members' phones, and relayed the coordinates back to Vervaart. Vervaart monitored the frigate as it left the port of Heraklion, Crete, and saw it sail along the island’s coast and east to Cyprus. While the Bluetooth tracker only gave away Evertsen’s coordinates, the frigate was protecting a wider strike group from potential missile threats.

This information could have easily been exploited by adversaries to triangulate the entire fleet’s position. What makes this even more dangerous is that Bluetooth trackers don’t require their own GPS or cellular connection; they just need to borrow signals from nearby phones. So, once the greeting card got on board, the Bluetooth tracker just needed to ping back home.

Navy officials later found the tracker during routine mail sorting and quickly disabled it. In response to this breach, the Dutch Ministry of Defense promptly banned electronic greeting cards that contain batteries.

However, this isn’t the first incident to have poked holes in naval operational security; nearly a month ago, a French officer aboard the Charles de Gaulle uploaded his running route to Strava, effectively revealing the carrier's exact coordinates in the Mediterranean.