How Soldiers Are Revealing Sensitive Information by Letting Fitness Apps Track Them

Author Photo
Jan 29, 2018

A fitness tracking app has unwittingly leaked details of military bases in places including Afghanistan, Iraq and Syria. Strava logs user movements as they walk, jog, cycle, run, etc for fitness tracking purposes. However, it appears the app has also accidentally exposed details of several military bases all over the world. Along with known bases, the map also shows routes that forces take for moving outside of the bases, potentially enabling attackers to use that information for ambushes.

Fitness tracking app exposes military bases/routes

San Francisco-based Strava boasts having 27 million users around the world, using the app through popular devices like Fitbit and Jawbone. While this leak may appear to be accidental, it comes out of an intentional “feature” advertised by Strava. Last November, the company published an interactive heatmap with over 13 trillion GPS points from all its users, highlighting how many people around the globe were using it to track their fitness.

strava-heatmapRelatedStrava Responds to Privacy Concerns – But the Episode Shows How Difficult It Is to Opt Out of Strava Heatmap

What it also did, however, was to highlight hotspots of intense fitness activity in the middle of nowhere, leaking information about military bases. The information was made public after Nathan Ruser, an analyst with the Institute for United Conflict Analysts, revealed how this trillion-points-rich data could be used for intelligence gathering.

The map created by Strava Labs shows “direct visualization of Strava’s global network of athletes,” as the company calls it. It highlights the movements of app users, hinting at high-activity paths. This means that the data also highlights specific locations that stand out for their intense activity. For example, in Iraq, the map is dark except for some points (known military bases) that are highlighted.

“In Syria, known Coalition (i.e. US) bases light up the night,” Tobias Schneider, a Middle East security analyst, tweeted. “Some light markers over known Russian positions, no notable coloring for Iranian bases.”

“A lot of people are going to have to sit thru lectures come Monday morning.”

Some added that these graphs may not just be showing routes used for excercise, as they could reveal patrol routes for users who forgot to turn their app off. While bases are mostly known and fixed, tracking movements is far more dangerous, Schneider added.

“Big OPSEC and PERSEC fail,” Nick Waters, a former British army officer, tweeted. “Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.”

While we routinely talk about privacy concerns of using tracking apps and devices, it’s surprising how amid all the cyberwar-talk, military personnel are yet to grasp the true repercussions of using these products and services. Privacy experts warn that this data (and more of such data that never makes it to the public but can be accessed at any time by hackers or government sponsored attackers) could not only be used for tracking, but can also lead to actual usernames and profiles of service members.

As for Strava, the company said soldiers should have opted out of the feature, as “athletes with the Metro/heatmap opt-out privacy setting have all data excluded” from this interactive map. The US Department of Defense has said that it’s “reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”

The Pentagon had itself encouraged the use of Fitbits among military personnel and had actually distributed 2,500 units in 2013. “Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Major Audricia Harris, a Pentagon spokeswoman, said. “DoD takes matters like these very seriously […] and recommends limiting public profiles on the internet, including personal social media accounts.”