Over the weekend, the popular fitness tracking app Strava proudly published a "2017 heat map" showing activities from its users around the world, but unfortunately, the map revealed what it shouldn't—locations of the United States military bases worldwide.
Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.
Since Strava has been designed to track users' routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.
With a total of one billion activities logged on the Strava's activity map, it is a whole lot of useful data from all over the world.
Although Strava's publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.
What's more? Security experts on Twitter have also discovered potentially sensitive American military bases in Somalia, Afghanistan and Syria; secret Russian military bases in Ukraine; a secret missile base in Taiwan, as well as an NSA base in Hawaii.
Ruser said that the map allowed him to find out regular jogging routes for military personnel, which is bad news for security, as it establishes reliable "pattern of life" information that would otherwise be secret from the rest of the world.
"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.
Should Strava be blamed entirely for this revelation?
Strava said its heat map is based only on publically available data, and the company does offer a private mode that allows its users to turn off data sharing outside of the app.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
However, it appears that many American and foreign military personnel using the app were sharing the confidential information publicly—perhaps without the knowledge or realising the implication, which is terrible.
What's even worse?
A security researcher told the Washington Post that this publically available data could even help enemy forces plan an "attack or ambush U.S. troops in or around the bases."
To make things even worse, some experts have also found ways to deanonymize the Strava heatmap, identifying individuals and their location where they have been exercising.
Strava has reminded its users that they could turn off location services for the app and that the map does not include private activities or areas deemed private.
"Our global heat map represents an aggregated and anonymised view of over a billion activities uploaded to our platform," Strava said in a statement. "It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share."The incident is a great reminder for people, especially for those working in or around sensitive locations, to turn off location sharing services for everything.
Moreover, militaries should also consider limiting smartphones and wearables use in sensitive areas as well as educate their soldiers on the importance of privacy.