Hiding Bluetooth Trackers in Mail

It was used to track a Dutch naval ship:

Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.

[…]

Navy officials reported that the tracker was discovered within 24 hours of the ship’s arrival, during mail sorting, and was eventually disabled. Because of this incident, the Dutch authorities now ban electronic greeting cards, which, unlike packages, weren’t x-rayed before being brought on the ship.

Tags: ,

Posted on April 24, 2026 at 7:01 AM15 Comments

Comments

Rontea April 24, 2026 9:28 AM

The response—banning electronic greeting cards—solves the immediate problem but doesn’t address the broader issue: designing processes that treat every entry point as a potential attack vector.

sidelobe April 24, 2026 9:46 AM

It seems to me that the security issue isn’t the tracker, it’s the phone indiscriminately reporting the tracker’s location. The phone could be told when it’s in a location or situation where it should not be reporting on trackers. Perhaps a different Bluetooth ID that says “no tracking allowed here” could be broadcast in sensitive situations? This could be built into WiFi routers and included in personal cars. Not a perfect solution, but a start.

Martijn April 24, 2026 11:32 AM

I pinged the editorial desk asking them if they thought this through, opening intel to China. Crickets. Assuming Mr reporter did not build the backend. Proving the use case could be done in a different way.

Snarki, child of Loki April 24, 2026 1:01 PM

“At the beginning of each cruise, all cellphones must be ceremonially tossed overboard.

If anyone holds onto their cellphone after that, then THEY are tossed overboard.”

SocraticGadfly April 24, 2026 1:01 PM

@sidelobe: Analogous to the “no follow” HTML code you can put on a URL in a story? Yeah, it’s a start, at least.

@Martijn: Did you ask if this also opened intel to Tel Aviv or something? (They’re probably already dialed in, but still …)

lurker April 24, 2026 2:36 PM

@Snarki …

That sounds like a good start. After all it’s a military environment we’re talking about. Why do they need cellphones on board a ship at sea?

For the squeamish the phones could be simply turned off and placed in a strong metal box; to be retrieved after the ship is moored in port. And x-ray all mail: they’re doing parcels already, letters in bags wouldn’t be any harder

Hmm... April 24, 2026 11:57 PM

The little chip in our credit cards that enables touch-pay doesn’t have a battery. It’s powered by the nearby transmitter.

One the scams out there involves telling people their card has been compromised, have them cut it up, and sending a courier to pick up the pieces Only cutting up the card doesn’t destroy the chip, which is then used by the bad guys.

Tech constantly improves. How long before these trackers have no battery, and are powered by the transmitters? What about flexible circuits on fabric?

How about when cell phones communicate via satellite instead of cell towers?

And hasn’t this sort of thing already been used by the Ukrainians against the Russians, with the Russian troops connecting to Ukrainian cell towers?

This is only the beginning… Perhaps Apple or Google could block trackers upstream. But there are so many other ways to track… Speaking of which, satellite imagery is becoming cheaper & more accessible. You could always just look…

Clive Robinson April 25, 2026 11:58 AM

@ Hmm…,

You ask,

“How long before these trackers have no battery, and are powered by the transmitters? What about flexible circuits on fabric?”

What makes you think it’s not already been done?

In actual fact it started back in the late 1980’s and is still very much around now and is ramping up daily…

Look up “Radio Frequency Identity Devices”(RFIDs) especially the long range ones,

‘https://www.cykeorfid.com/long-range-rfid-readers-explained-what-they-are-and-where-theyre-used/

You can scan an entire 40ft Container packed tight with “products” and get the ID of every device via a handheld device. Similarly a 90-100ft range in a semi open area like a warehouse or car-park.

They are routinely in use by the likes of UPS and luxury goods suppliers.

A variation on such devices can be injected into your pet, to be just under the skin to prove it’s vaccination and ownership statuses.

A variation has been made by Medtronic for a decade or more, that records your heart function and uploads it into a bedside device that “phones home” to the hospital cardiac people. Variations that log not just your heart but geographic location and altitude are also available.

For those that don’t like holes being put in them there are devices in watches and belts for “fitness tracking”…

Putting any of the above devices in clothing is trivial and already done with very expensive fashion items and the like to prove they are “genuine not knock-offs” and “stock control”. The fact they can easily track you at store checkouts is being looked into to charge you “premium prices”.

But lets assume that most of your cloths have ID numbers built in how many would be required to,

1, Give you a unique identifier.
2, Be easily linked to your credit card number thus full ID and Bio information?
3, Be easily linked to those you are close to?
4, Establish your shopping and lifestyle habits?
5, Even where you work and live.

And so on…

If you look back on this blog I was worrying about this way more than a decade ago.

I even suggested popping “new clothes in the microwave” for a short period to kill such RFIDs…

Since then “Near Field Communications”(NFCs) have taken off for payment cards of all forms, without you “authenticating” a transaction with a PIN etc.

Many Mobile / Smart devices also have NFC now fitted for a whole heap of reasons,

https://www.spiceworks.com/networking/what-is-near-field-communication/

As do several electronics gizzmos like the “Flipper Zero” security / hacker tool,

https://www.pcmag.com/explainers/flipper-zero-hacks-for-beginners-8-simple-ways-to-use-it-out-of-the-box

NFC Bank Cards, developed in the “naughties” were Originally Called “Tap and Go” cards in some places, really are a security and privacy hazard as they alow you to be not just tracked but have your money stolen with ease.

As I said back in the early RFID days,

“Welcome to your life in the goldfish bowl…”

Hmm... April 25, 2026 4:31 PM

@Clive: “What makes you think it’s not already been done?”

Nothing. I find those RFID devices in items I buy, and underneath stickers on my packages. So far, they’re predominantely short-range at the end-consumer level.

@Clive: “They are routinely in use by the likes of UPS and luxury goods suppliers.”

Today it’s luxury goods. Tomorrow it’s Dollar store.

Tech capabilities keep improving… Prices keep dropping…

Clive Robinson April 25, 2026 5:23 PM

@ Hmm…

You forgot to add to your list of,

“Tech capabilities keep improving… Prices keep dropping…”

And abuse gets cheaper to do…

When I was growing up it was the time where valves/tubes were fading as the transistor had taken over and microchips had gone beyond quad nand-gates.

It looked all creative and wonderful which was why I was not too fussed when it was found I’d developed reactions to oils and certain plastics so moving into boat design and build as a career was not going to be possible… I could after all be just as creative with circuit design…

So in the mid 70’s I jumped career whilst still at college…

However industry had changed and the dark side was coming through… I spent some time doing “defense work” and that was not happy times.

So I jumped into the petro-chem side of things and although design was creative I could see the failings when it came to security. Nobody wanted to pay for it as nobody had attacked their very very vulnerable systems.

Sadly every time I changed career path to “do more good” it was just as things were going bad, but nobody cared to “do good”.

Then it became clear that the old saying of,

“The ship was lost for a ha’pennyworth of tar”

Was the thing the neo-cons either did not understand or did not care about.

Computer hacking and communications attacks just went up and up, and could have been so easily stopped… But “short term thinking” and mantras like “never leave money on the table” caused attacks to rise.

At some point the short term thinking saw profit in getting data on people, and “Data brokering” by “ubiquitous surveillance” became not just a thing, but the only source of profit in town…

For a little extra effort many if not most of the security vulnerabilities that happen every day could be prevented before they leave the shop. But even with new tools that might arise from new methods of AI they won’t be because that is not where management and marketing have set the priorities for profit above all else.

And it’s not going to get better any time soon, if ever.

Hmm... April 26, 2026 7:17 PM

@ Clive: “And it’s not going to get better any time soon, if ever.”

It will. These things swing back and forth like a pendulum. That’s not to say things won’t get worse before they get better. But eventually they will get better. Perhaps in our grandchildren’s or great-grandchildren’s time.

Look at how women were treated in the 60s & 70s versus how they’re treated today… Back then they couldn’t vote, or have a bank account in their own name, or have a career. Things change.

Look at Linux gaming. Valve/Steam have done a fantastic job. And younger folks, fed up with Microsoft, are starting to pay attention.

Even as we speak, right now, today, on social media, folks are expounding this “new” great idea to air-gap their TVs. Just use ’em as a HDMI monitor and hook up their own tuners & whatnot. Avoids the spying, advertising, cameras & mics, etc. (I’ve been doing that for a couple of decades now…)

Cars have gotten so over-the-top on spying, and they’re poised to get much worse. It keeps driving up the prices. Only now nobody can afford it. And those who can pay want BMW or Porsche, not Ford. But sooner or later, some struggling company will bring back the idea of cheap, minimal vehicles. Kind of like the K-car I rented some decades back. I was surprised it had a speedometer. Didn’t have much else. But it got me around town.

It’s like a pendulum swinging back and forth. Wait. What’s old becomes new again.

_ April 26, 2026 8:05 PM

“Even as we speak, right now, today, on social media, folks are expounding this “new” great idea to air-gap their TVs. Just use ’em as a HDMI monitor and hook up their own tuners & whatnot. Avoids the spying, advertising, cameras & mics, etc. (I’ve been doing that for a couple of decades now…)”

RE:HDMI Google: deep tempest

bart April 27, 2026 10:17 AM

Wait, how did this even work inside a giant steel box?

And how did it transmit its location outside the ship? Presumably it had to upload the information via the internet, why was that not blocked?

Jan Willem April 28, 2026 8:36 AM

@bart
It was a standard GPS tracker and it forwards it location through any apple iPhone which comes nearby. As long as a navy vessel has not turned ‘black’ one can use WiFi and hence the location is sent to the owner of the gps-tracker. As long as you know someone on the ship, this will work.

@all
However, we have seen much dangerous leaks in the past: navy staff who were using tracking software to collect their running tracks and publish those (which is officially forbidden in the navy and most armies). In one of those situations a hidden port for nuclear submarines was made public.

But you have to realize that the position of each navy ship (except maybe submarines) worldwide is followed by satellites all the time. So at least for state actors this wasn’t really an eye-opener.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.