Information Security, Top News

Secret military bases revealed by fitness app Strava

Someone has stumbled on what looks like a simple way to work out where US military personnel are stationed in foreign campaigns – track them via their Fitbits or smartphones.

Until recently this wouldn’t have been possible, but in November fitness app Strava posted its impressive Global Heat Map that logs the activity history of the software’s tens of millions of active users. That’s not a small amount of data – users jogged or cycled along 17bn miles and three trillion GPS data points in the two years to September 2017.

In countries such as the US or UK, at any zoom level, the Heat Map shows an indecipherable mess of coloured lines, a reflection of its large user base.

However, when student Nathan Ruser looked more closely at countries such as Afghanistan and Syria he noticed vast dark areas dotted with small islands of user activity.

After tweeting this discovery, other users suggested these activity hotspots might coincide with the presence of US military personnel, sometimes in places where their activity is not widely publicised.

According to the Washington Post, this could include a special forces base in the Sahel, as well as operations in Afghanistan and Syria.

The security issue isn’t simply that US forces are active in these locations but the level of detail Strava reveals about how they move around their environment.

Tweeters claiming to have a military background didn’t take long to work out the apparent security fail:

Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.

And it’s not just US military who seems to have taken to Strava – activity is reported to be visible around a Russian base in Syria and Britain’s base in the Falkland Islands.

In response, the US-led Coalition in Syria and Iraq said:

The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.

So is the risk from this data as bad as claimed?

Although the data is now months old, its probable patterns might be revealed to anyone willing to invest time analysing it. Some of these are obvious: it’s hardly a secret that the US has a lot of soldiers in certain parts of Afghanistan for instance.

What’s probably true is that the US military’s decision some years ago to encourage soldiers to use Fitbits was based on naïve assumptions about how much data these platforms capture. The British Army faces the same problem.

In Strava, users can share data with a peer group if they choose – many see this competitive aspect as the whole point of Strava – but even when this is turned off activity is still logged for use by the Heat Map unless an opt-out is selected in the privacy settings.

Strava also offers users the ability to hide start and end points (usually a user’s home address or workplace) by creating a privacy zone.

There will be voices demanding that apps such as Strava be outlawed for use by soldiers in the field. This seems a bit extreme. The privacy controls are there after all. The problem is not enough personnel have been using them.

Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps wrote:

We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.‎


Image courtesy of Strava Global Heatmap

Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend