A feature in the fitness tracking app Strava meant to promote competition between users has instead been put to clever use by unknown spies, tracking members of the Israeli military as they run routes on secret military bases.
The fitness tracking app may have inadvertently compromised not only classified locations, but the movement of personnel over extended periods of time. One example was a member of the military who won a race and had their name made public; they also tracked the race on Strava, which could then be used to view all of the other locations that they had exercised at.
Not a code exploit: Built-in feature of fitness tracking app has loopholes
The risk is not just theoretical: security researchers found an anonymous profile located in Boston that had been actively abusing the fitness tracking app to track users running in known military bases and outposts throughout Israel.
The vulnerability is in a feature called “segments” that allows Strava users to define portions of running trails in which they can record their own best times. The idea of the feature is to have users post their segment times and compete to top each other. The problem is that the Strava user does not have to visit the actual location to set up a segment; they can simply upload GPS data recorded by a variety of other devices. This creates the possibility to upload fabricated GPS data, something that has clearly been happening given Strava segments that feature impossible times or routes.
A Strava user anywhere in the world can thus insert themselves into any running route they care to by creating one of these segments. Once this is done, they can exploit another feature oversight in the fitness tracking app: the dropping of certain privacy features when a user opts to upload their data to a segment. Strava users can usually make their personal profiles private, or open them up only to approved followers. However, regardless of these settings their segment records (which are accessible to anyone using the app) will always contain their first name, first initial of their last name and profile picture unless they individually disable this for each particular segment.
Users of the fitness app can thus be unwittingly leaving a record of everywhere they’ve used the app while running that can be viewed by anyone. If they are a known member of the military, the locations of bases and sensitive programs can thus be inferred by going through their publicly-visible segments.
The total scope of the Boston-based surveillance campaign appeared to encompass at least 100 individuals that had gone for a run or bike ride at six Israel military bases with locations not disclosed to the public. The user’s name on the fitness tracking app was “Ez Shehl” but there is apparently no other useful personal information available about them. Most of the segments they created had telltale signs that they came from manipulated GPS data, such as covering long distances in less than a second. The campaign apparently tracked at least one senior defense official.
The campaign was uncovered by FakeReporter, an Israel-based media source that focuses on disinformation and scams. The focus was thus naturally of a local nature, but there is no reason to believe this same technique could not be applied to spy on military and government figures in any other nation. Strava is based in the United States, has been available since 2009, is currently available in 14 languages, and has an estimated 100 million users around the world.
Second serious privacy issue for fitness tracking app involving compromise of military locations
Strava has run into this exact sort of trouble before. The fitness tracking app hit upon controversy in 2018 with another feature, “heat maps” that showed routes that users were taking in terms of relative popularity. A heat map could be generated by just one user taking a particular route, however, and the routes of app users on military bases became available to all other users. App users were able to opt out of this feature, but were opted in by default; Strava did not offer any remediation other than to tell users in the military and other sensitive positions to disable the setting. The issue prompted a US Department of Defense review of personnel use of the app, which culminated in an August 2018 ban on all apps that incorporate GPS tracking features.
Strava’s automatic tagging feature also created some general controversy in 2020. Another feature that was enabled by default, it would automatically “tag” app users that happened to pass each other. Those users would then see links to the other person’s profile along with their personal running route, which would quite often display a trail directly to their front door. Users of the fitness tracking app have to go into the privacy settings and disable the “Flyby” feature to stop this from happening.
Tom Lysemose Hansen, CTO at Promon, observes that these features are actually quite popular despite the potential for privacy invasion and abuse, and this is something that must be addressed at the app design level: “This story highlights a dilemma between users wanting social interaction via sharing their data and the privacy of that data. Quite simply, users cannot have their cake and eat it. As shown in this case, the use of cloud based storage will always pose a significant risk. We need to move to a model where data is mastered on device and is only shared with chosen individuals via a key exchange mechanism. With such an approach, nobody else, including Strava, would be able to read that data. However, with companies such as Strava seeing great value in user data this is clearly an unattractive business proposition.”