Massive Security Flaw in Fitness App Is Putting Soldiers & Intelligence Agents at Risk of Exposure
Earlier in the year, a report revealed how Strava fitness app was revealing information of its users, unwittingly leaking details of military bases in several places, including Afghanistan, Iraq and Syria. It now appears this could potentially be an industry-wide problem as researchers have seen another fitness app leaking even more sensitive information.
"Polar, a fitness app, is revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world," researchers reported after a joint investigation between Bellingcat and Dutch journalism platform De Correspondent.
The research shows that Polar publicizes more data per user in a more accessible way, with potentially disastrous results. Similar to Strava, Polar is showing an individual's activity - their route, date, time, etc - on the map, and then adds even more information potentially revealing this same information about their home.
Anyone could see sensitive details of soldiers and intelligence officials using Polar's Explore feature
Researchers wrote that tracing all this information is pretty simple using the site. All one needs to do is find a military base, select an exercise to identify the attached profile, and see where else this person has exercised.
"As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map," Bellingcat wrote. "Users often use their full names in their profiles, accompanied by a profile picture - even if they did not connect their Facebook profile to their Polar account."
While showing fitness activity is a norm, Polar goes a step ahead by showing all the exercises that an individual has done since 2014, all over the world on a single map.
As a result, you only need to navigate to an interesting site, select one of the profiles exercising there, and you can get a full history of that individual.
A Finnish company, Polar produces a number of smart devices, including the Polar Balance smart scale, the M600 smartwatch, and M430 running watch. These devices connect to Polar Flow, the company's fitness app.
The company said users can opt out of having their profiles shared with the public. However, the researchers discovered a flaw in the app that could be exploited to get information from users who had their profile set to private. The research finds at least 6,460 users from 69 countries (including soldiers in volatile areas such as Baghdad or the Korean DMZ, NSA employees, and others) who used the service near sensitive facilities thereby leaking their whereabouts, including their home addresses.
"Together, these users had made over 650,000 exercises, marking the places they work, live, and go on vacation.
We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity. Polar showed his runs in several military bases spread throughout the Middle East, as well as the start and finish of dozens of exercises from a house in New York state. In early 2017, as the Polar app freely tells us, he made a trip to the west-side of the US and used a bike there. He also logged exercise from a hotel during a stay in Thailand. All this activity was accompanied with a time-stamp, his exact route, his heart-rate, and the amount of calories he burned."
Polar suspends its global activity map after privacy concerns
The company has now suspended the Explore feature that enables users to publicize their activity. "We are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API," it said in a statement. "We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations."
While Polar fixes these vulnerabilities, this latest security disaster does reveal that people in sensitive jobs continue to fall for convenience over security often forgetting that they need to be more cautious about using technology. It would be ideal to have these tech companies care more about user security and privacy, however, it is more than evident now that it is the users who will need to work to protect themselves online since even the biggest and most successful tech companies have time and again failed at keeping their users secure.