A military mail security vulnerability has exposed how easily hostile actors or curious journalists can track naval vessels using nothing more than a postcard and a €5 Bluetooth tracker. Journalist Just Vervaart from Dutch regional broadcaster Omroep Gelderland conducted an experiment that revealed the Royal Netherlands Navy’s air-defense frigate HNLMS Evertsen could be located and monitored for an entire day after a cheap tracking device was mailed to personnel aboard the ship.
Key Takeaways
- A €5 Bluetooth tracker hidden in a postcard exposed HNLMS Evertsen’s location for 24 hours while deployed to the Mediterranean.
- The tracker passed through military postal screening undetected because postcards and envelopes are not X-rayed, unlike packages.
- The ship was located using publicly available mailing instructions and standard consumer technology available in any electronics store.
- Dutch Ministry of Defence responded by banning greeting cards containing batteries and reviewing its entire mail screening protocol.
- A similar vulnerability was exposed by Le Monde, which tracked a French officer’s movements via Strava fitness data from a smartwatch aboard the Charles de Gaulle carrier.
How a Postcard Became a Security Risk
The military mail security vulnerability exploited a fundamental gap in screening procedures. Envelopes and postcards sent through the Dutch Ministry of Defence’s military postal service are not subjected to X-ray scanning, according to publicly available MoD guidance videos and instructions. This distinction is critical: while packages are screened, letters and cards pass through unexamined. Vervaart obtained these public instructions and used them to mail a standard Bluetooth tracker—the type typically used to locate lost keys—inside a postcard addressed to personnel aboard HNLMS Evertsen.
The tracker traveled from the Dutch naval base at Den Helder to Eindhoven Airport, then onward to Heraklion port in Crete, Greece, where the frigate was moored. Once the ship departed and sailed west along the Crete coast, the tracker continued broadcasting its location via the Bluetooth network. For approximately 24 hours, the device remained active and trackable, providing real-time position data until it was discovered during onboard mail sorting and disabled.
Military Mail Security Vulnerability Exposed Broader Risks
The incident demonstrates that military mail security vulnerability extends beyond simple tracking. The HNLMS Evertsen was deployed to protect France’s aircraft carrier Charles de Gaulle from missile threats, making its location operationally sensitive. A hostile actor with access to the same inexpensive technology and public mailing procedures could have weaponized this information. The Ministry of Defence stated that no actual operational risk materialized during the 24-hour window, but the vulnerability itself remains alarming.
Related security gaps have surfaced elsewhere in military operations. Le Monde exposed a similar vulnerability when the publication tracked a French officer’s seven-kilometer run on the Charles de Gaulle carrier deck using Strava fitness data transmitted from a connected smartwatch. These incidents reveal a pattern: modern military personnel carry internet-connected devices that leak location data through civilian networks and services, and mail screening procedures have not evolved to detect emerging threats like Bluetooth trackers.
Response and Policy Changes
The Dutch Ministry of Defence responded swiftly after Vervaart’s experiment became public. The MoD banned greeting cards containing batteries from its military postal service and initiated a comprehensive review of mail screening guidelines. However, these reactive measures address only the specific vector used in this case. The broader military mail security vulnerability—that postcards and envelopes bypass X-ray screening entirely—remains partially unresolved, as implementing universal scanning could overwhelm existing infrastructure.
The incident raises uncomfortable questions about the balance between operational security and logistical efficiency. Scanning every piece of mail sent to naval personnel would be resource-intensive, yet the current system allows a €5 device to compromise a €500 million asset. The fact that a regional journalist, not a state actor, exposed this gap suggests that adversaries with greater resources and sophistication may have already weaponized the same vulnerability.
Why This Matters Now
Military mail security vulnerability has become urgent because consumer technology is cheap, accessible, and increasingly difficult to detect. Bluetooth trackers are sold globally for pocket change, require no specialized knowledge to operate, and exploit gaps in screening that were designed decades ago. HNLMS Evertsen’s exposure occurred while the ship was actively supporting NATO operations in the Mediterranean, making the timing particularly sensitive. This incident will likely prompt navies worldwide to reconsider how they balance the convenience of mail delivery to deployed personnel against the security risks posed by modern tracking devices.
Can military mail screening ever be completely secure?
Complete security is unlikely without significant operational burden. X-raying all mail, including postcards and envelopes, would require infrastructure upgrades and processing delays that could disrupt morale and communication with deployed personnel. The alternative—accepting some level of risk—is what most militaries currently do, but incidents like HNLMS Evertsen’s tracking expose how high that risk actually is.
What other tracking devices could exploit this military mail security vulnerability?
Any low-power Bluetooth device small enough to fit in an envelope could theoretically be used. AirTags, Tile trackers, and similar consumer gadgets are designed to be inconspicuous and are sold in thousands of retail locations worldwide. The challenge for military screening is that these devices contain no batteries visible to cursory inspection and no obvious electronic components that would trigger alarms.
Has this vulnerability affected other military vessels?
The research brief does not indicate other confirmed incidents involving military vessels, though the Le Monde case involving the Charles de Gaulle carrier demonstrates that military mail security vulnerability is not isolated to the Dutch Navy. NATO allies are likely reviewing their own mail screening procedures following this public exposure.
The HNLMS Evertsen incident serves as a stark reminder that military security in the modern era cannot rely on physical barriers alone. A €5 Bluetooth tracker mailed through standard postal channels exposed a naval warship’s location for 24 hours, forcing one of Europe’s most advanced militaries to rewrite its mail security protocols. As consumer technology becomes smaller, cheaper, and more connected, the gap between operational convenience and genuine security will only widen. Navies worldwide now face the uncomfortable reality that their personnel’s ability to receive mail may be fundamentally incompatible with protecting the locations of billion-euro assets.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Hardware
