- June 18, 2020
- Posted by: Ken Stilwell
- Category: IoT, Security
Strava, a fitness-tracking app, is revealing potentially sensitive information about military bases and supply routes via its global heat-map website.
The data map shows 1 billion activities and 3 trillion points of latitude and longitude from “Strava’s global network of athletes,” according to the company, with the idea being to make finding common and popular workout locations easy. It collects the data from people who use fitness devices like Fitbits, to show where people have been exercising over the past two years.
The only issue is that some of those people are soldiers stationed at sensitive locations such as military bases. Most of the Middle East portions of the map are dark, except for pockets of activity here and there; those that don’t match up with known settlements and bases could be deduced to be secret installations.
Further, the data isn’t live, but it does show habitual workout routes; that’s information that could in theory be used to plan ambushes.
While it sounds like plenty of conclusion-jumping to arrive at that assessment, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, cautions that it’s imperative not to underestimate how such data can be used.
“I have seen some bizarre arguments on this in the past with people asking why we should care about hacking devices for location, arguing what could actually be done with the information,” he said, via email. “The military issues associated with this are alarming, and the military should be regularly testing these issues much like businesses should. There should really be no personal equipment or devices allowed during military operations, and military issued devices should be put through much more rigorous testing to look for different types of threats and risks to that of a commercial product.”
American soldiers and other personnel using fitness trackers could opt out of being tracked, if they remember to do so.
“Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform,” a spokesperson said. “It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share.”
For its part, the US Department of Defense said that it was reviewing the situation.
“The DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad,” it said in a statement.
Tom Bonner, senior manager of threat research EMEA at Cylance, told us via email that the incident serves to highlight a distinct lack of operational security employed by various government organizations around the world.
“Access to personal communication devices with geolocation services should be banned in sensitive/restricted locations, and broader assessments and awareness training undertaken by employers to understand and mitigate the potential risk posed by these types of services,” he said.