Application Security

1/29/2018
10:33 AM
50%
50%

Strava Fitness App Shares Secret Army Base Locations

The exercise tracker published a data visualization map containing exercise routes shared by soldiers on active duty.

In November 2017, the Strava fitness tracking app published a visualization map to show where users exercise across the world. However, that map also revealed location information about military bases and spy posts around the world, military analysts report.

The company lets users record running, walking, or biking activity on their smartphones or wearables, and upload it to the Internet. Military analysts noticed the map - which was constructed using more than three trillion individual GPS data points - has enough detail to give away potentially sensitive data on where soldiers on active duty are located. Users in locations like Afghanistan and Syria seem to exclusively be military personnel, they say.

"If soldiers use the app like normal people do, by turning it on and tracking when they go to do exercise, it could be especially dangerous," says Nathan Ruser, analyst with the Institute for United Conflict Analysts. On Strava's map, the Helmand province of Afghanistan shows the layout of operating bases via exercise routes. The base is absent from satellite views on both Google Maps and Apple Maps.

These findings arrive the day after Data Privacy Day, which was created to encourage both individuals and businesses to respect user privacy and protect data. Strava's decision to publish sensitive location data is part of a growing discussion around how companies should handle the massive amount of information they collect on users.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/1/2018 | 12:00:57 PM
Re: Sharing data
@Dr.T: More to the point, I've also found that, for people who engage and share practically nil online, it's much easier to find information out about them online because all that's left on Google are the data harvesters and data sellers -- particularly because the people who don't engage online tend to do a poor job of protecting their privacy beyond the mentality of "Well, I'm maintaining my privacy as long as I'm no on Facebook" (as if privacy and Facebook were correlated in such a binary fashion).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2018 | 8:04:54 AM
Re: Sharing data
@Dr.T: There are more checks and balances on gathering data on citizens directly rather than purchasing it from companies. (See, e.g., that URL from the other comment.)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:45:36 PM
Re: Sharing data
I work to consciously control the flow of information to mitigate things. I do the same, if I feel it is not suppose to be shared with anyone that information does not end up in the internet for me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:44:01 PM
Re: Sharing data
I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work. That is true, it is the same for many of us, we can share willingly since it is not sensitive data.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:42:17 PM
Re: Sharing data
Uphill battle, though, given a population addicted to always online, sharing and comparing. This is a good point. Sharing and comparing is ok but if for sensitive location then we end up with these problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:39:31 PM
Re: Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. Interesting idea. Would government agencies not have the data already?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:38:04 PM
Army location
One thing I am sure everybody knows where the army stations are and where the soldiers practice. You do not need tracking app for that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:52:06 PM
Re: Sharing data
@Brian: For my own part, I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work.

That said, via my writing, my social presences (which I manage by assuming anyone or just about anyone can read what I put -- regardless of my restrictions), etc., I work to consciously control the flow of information to mitigate things.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 12:49:09 PM
Re: Sharing data
@JoeS: "...realistically the best solution is to do what you can to share little with companies to begin with."  That sound advice, worded many different ways, can be found in every security-centric site.  Uphill battle, though, given a population addicted to always online, sharing and comparing. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:16:54 PM
Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. ( See, e.g., this from recent headlines about license-plate location data: theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions ).

We'll see how things change with GDPR, but realistically the best solution is to do what you can to share little with companies to begin with.
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19991
PUBLISHED: 2018-12-10
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230.
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
CVE-2018-19982
PUBLISHED: 2018-12-09
An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs because HPKP is not implemented. The communication architecture is APP > Server > Controller (HUB) > Node (products which are controlled by HUB). The prerequisite is that the attacker is on the same network as the target HU...
CVE-2018-19983
PUBLISHED: 2018-12-09
An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending ...
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.