A Dutch journalist mailed a postcard containing a $5 Bluetooth tracker to a €500 million warship and watched its real-time location appear on his phone as the vessel crossed the Mediterranean.
The incident exposes how consumer-grade tracking technology—devices designed to locate lost keys and wallets—can pierce military security protocols when those protocols treat mail as inherently trustworthy. Just Vervaart, working for regional media network Omroep Gelderland, followed publicly available directions posted on the Dutch government website to send correspondence to the naval vessel. Inside the postcard was a Bluetooth tracker. For approximately 24 hours, he tracked the ship’s movements from Heraklion, Crete, as it sailed toward Cyprus.
- The Security Gap: Military mail screening protocols failed to detect a $5 consumer tracking device hidden in a postcard.
- The Fleet Risk: Tracking one vessel in a coordinated naval formation reveals the position of the entire strike group and dozens of personnel.
- The Public Instructions: The journalist used official government website directions to mail the tracker directly to the warship.
What makes this breach particularly dangerous is what Vervaart could infer from the data. The vessel belongs to a carrier strike group operating in the Mediterranean. Knowing the location of one ship in a coordinated naval formation effectively reveals the position of the entire fleet—a tactical vulnerability that could theoretically compromise the safety of dozens of personnel and millions in military assets.
The tracker was discovered during mail sorting within 24 hours of the ship’s arrival. Navy officials disabled it and investigated how such an object passed through standard security measures. The answer: electronic greeting cards and postcards were not being x-rayed before being brought aboard, unlike packages. This gap in screening created an opening that required only basic knowledge of where to send mail and a consumer device costing less than a coffee.
How Did Consumer Technology Bypass Military Security?
For anyone who has used a Bluetooth tracker, the implications are immediate and unsettling. These devices—Apple AirTags, Tile trackers, Samsung SmartTags—work by broadcasting low-energy Bluetooth signals that nearby phones relay back to a cloud server, creating a crowdsourced location network. Research on consumer tracking devices demonstrates how these systems achieve remarkable accuracy through passive data collection methods.
They’re designed to be small, inconspicuous, and cheap precisely so they can be slipped into bags, attached to keys, or embedded in everyday objects. The technology is consumer-friendly because it’s passive: the tracker itself doesn’t need cellular service or GPS. It just pings, and the network finds it.
• Bluetooth trackers cost $5-30 and require no subscription or cellular service
• They create crowdsourced location networks using nearby smartphones as relays
• Indoor localization research shows these devices can achieve meter-level accuracy in populated areas
That same architecture that makes them useful for finding your lost AirPods also makes them useful for tracking anything else that can be mailed, carried, or concealed. Vervaart’s experiment wasn’t a hack or a sophisticated cyberattack. It was a straightforward application of existing technology to expose an organizational blind spot.
Why Did Official Mail Channels Create the Vulnerability?
The journalist’s method—following official government instructions on how to contact the ship—underscores another layer of the problem. The information was public. The vulnerability wasn’t hidden or obscure. It existed in plain sight, protected only by the assumption that no one would exploit it, or that mail screening would catch anything dangerous.
The Dutch authorities responded by implementing a blanket ban on all electronic greeting cards. The measure treats the symptom—electronic devices in mail—rather than addressing the root vulnerability: the assumption that mail arriving through official channels poses no threat. It’s a reactive policy born from a specific exploit, but it signals how seriously the Navy took the breach.
This incident sits at the intersection of two security realities. First, consumer technology is now powerful enough to compromise military operations when security protocols don’t account for it. The same real-time location tracking capabilities that concern privacy advocates in connected vehicles now threaten operational security in military contexts.
What Does This Mean for Military Security Protocols?
Second, those protocols often lag behind what’s actually possible. A €5 device designed for civilian convenience became a tool for exposing a gap in one of Europe’s most heavily funded defense systems.
• Consumer tracking networks now cover most populated areas globally, making passive surveillance possible anywhere with smartphone density
• Military security protocols designed for traditional threats may not account for ubiquitous consumer technology
• The incident demonstrates how LoRaWAN and similar networks enable tracking in previously secure environments
The Dutch Navy’s response—banning electronic mail—is practical but imperfect. It stops this specific attack vector while leaving others potentially open. More fundamentally, it illustrates how difficult it is to secure physical spaces against threats that originate in the consumer technology ecosystem. Every new tracking device, every connected gadget, every wireless-enabled object becomes a potential security concern when it can be mailed, carried, or smuggled into restricted areas.
Vervaart’s postcard serves as a reminder that military security isn’t only about firewalls and encryption. It’s about the physical world, mail sorting procedures, and the gap between what security planners assume will happen and what someone with a €5 tracker and public mailing instructions can actually accomplish. The convergence of consumer technology with military operations creates new vulnerabilities that traditional security frameworks struggle to address.
