Hiding Bluetooth Trackers in Mail

It was used to track a Dutch naval ship:

Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.

[…]

Navy officials reported that the tracker was discovered within 24 hours of the ship’s arrival, during mail sorting, and was eventually disabled. Because of this incident, the Dutch authorities now ban electronic greeting cards, which, unlike packages, weren’t x-rayed before being brought on the ship.

Tags: ,

Posted on April 24, 2026 at 7:01 AM2 Comments

Comments

Rontea April 24, 2026 9:28 AM

The response—banning electronic greeting cards—solves the immediate problem but doesn’t address the broader issue: designing processes that treat every entry point as a potential attack vector.

sidelobe April 24, 2026 9:46 AM

It seems to me that the security issue isn’t the tracker, it’s the phone indiscriminately reporting the tracker’s location. The phone could be told when it’s in a location or situation where it should not be reporting on trackers. Perhaps a different Bluetooth ID that says “no tracking allowed here” could be broadcast in sensitive situations? This could be built into WiFi routers and included in personal cars. Not a perfect solution, but a start.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.