Fitness Tracker Accidentally Reveals Sensitive Military Positions

Fitness Tracker Strava Accidentally Reveals Sensitive Military Positions

A fitness tracker app reveals the locations of military personnel on a heat map used by the app to show how widely used it is. This security risk was reported by The Guardian. Fitness Tracker Strava logs the route of every workout path taken by users while exercising. This includes biking, cycling, walking, running, swimming sessions. It also logs the location of workout that occurs inside a building, even when it is a military facility!

US OPSEC (Operations Security) concurs that Strava does indeed show classified military installations on its user heat map. However, the fitness tracker is also mapping inside sensitive military outposts when the users are service personnel stationed in the US and overseas.

The data is uploaded by any user who leaves to default security settings in place while exercising. In order to not share a location on the map, users must disable that function. Not only is aggregate workout data uploaded but individual users are identifiable too.

Robert Joyce, President Trump’s Cybersecurity Coordinator of the National Security Council, stated “it’s really clear that that heat map is a security risk,” and it is expected that service members’ use of Strava and other fitness trackers would be restricted while on active duty.

Map apps like Google and Bing maps don’t display details of known military installations. The reveled installations include US military installations as well as those of other nations. The map revels the workout patterns of personnel using the app to monitor their progress.

According to Strava’s website:
Strava is more than just a fitness tracker, it is a social media channel as well. This the public sharing of workouts.
The company’s about us page states that, “Strava is the social network for athletes. We’re a global community of millions of runners, cyclists and triathletes, united by the camaraderie of sport. Our website and mobile apps bring athletes together from all walks of life and inspire them to unlock their potential”

More Security Risks

Strava also has a feature known as Beacon. This feature allows users to share their real-time location with up to three contacts. Although this feature is good for loved ones by giving them peace of mind that you are okay and still moving, it does present another security concern.

Sites like Facebook are a favorite for social engineering attacks. Strava identifies itself as a social media channel for athletes. If a hacker can get a hold of your hometown based on the app, some more personal information from another social channel, they have a lot on you to being having your financial records. Add your real-time location, and you leave your home open to a real-time break in!

The heat map can be viewed on Strava’s website

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers