The Limited Times

Now you can see non-English news...

How the fitness app Strava betrayed the Israeli military


With a simple trick, anyone using the Strava app could track the movements of Israeli soldiers at secret bases. The problem had been known for years.

Enlarge image

Strava Website: Virtual jogging routes that others actually ran


Hardly anything spurs you on more when jogging than a particularly fit follower.

Fitness apps like Strava work according to this principle: anyone who transmits their movement data to the app provider's servers can constantly compare themselves with other joggers.

This function is now once again proving to be a security problem for military personnel.

As the British "Guardian" reports, citing the Israeli organization FakeReporter, it was possible, for example, to track a member of the military at a secret military base.

Strava not only revealed the jogging routes around the facility itself, but was also able to reconstruct the soldier's trips to other bases and abroad.

The finding is not new in itself: As early as 2018, the Pentagon had banned soldiers from using such apps in combat operations.

In areas like Syria in particular, the data traces from US soldiers on Strava's publicly available "heat maps" were so conspicuous that the US military was concerned about their safety.

In addition, such data can reveal troop movements.

Identifiable even without a name

The new revelation shows that even those who did not make their training data visible to the general public could be tracked.

This required a simple trick: an unknown person had created several virtual jogging routes that led through military bases and along (known) secret service locations.

In this way, the attacker gained insight into the data of people who – unlike himself – were actually traveling on these routes.

The case shows the difference between full anonymization and pseudonymization.

Strava allows you to make your own profile private, so that only friends and acquaintances have access to all training data.

What many may not be aware of: the profiles are still displayed to supposed fellow joggers who register on the same route.

Although the full name is removed, the profile picture displayed and other information still reveal whether the runners are the same.

If the profile picture then appears at a public event such as a marathon, identification is relatively easy.

If you don't want that, you have to set each individual jogging route to private - or do without apps like Strava altogether.

In a statement, Strava thanked them for the information and told SPIEGEL that the problem with the routes found had now been resolved.

Nevertheless, the company points out that users are ultimately responsible for how they share their data: “We provide easily accessible information on how information is shared on Strava and give each athlete the opportunity to set their own privacy settings. «

The FakeReporters have meanwhile announced on Twitter that there is probably no foreign secret service behind the suspicious jogging routes, but merely "an anonymous Israeli blogger and secret service enthusiast" who wanted to test and demonstrate the possibility of such an attack.

However, it is unknown whether others have also used this information in the meantime.

Source: spiegel

All tech articles on 2022-06-22

You may like

Trends 24h


© Communities 2019 - Privacy