Application Security

1/29/2018
10:33 AM
50%
50%

Strava Fitness App Shares Secret Army Base Locations

The exercise tracker published a data visualization map containing exercise routes shared by soldiers on active duty.

In November 2017, the Strava fitness tracking app published a visualization map to show where users exercise across the world. However, that map also revealed location information about military bases and spy posts around the world, military analysts report.

The company lets users record running, walking, or biking activity on their smartphones or wearables, and upload it to the Internet. Military analysts noticed the map - which was constructed using more than three trillion individual GPS data points - has enough detail to give away potentially sensitive data on where soldiers on active duty are located. Users in locations like Afghanistan and Syria seem to exclusively be military personnel, they say.

"If soldiers use the app like normal people do, by turning it on and tracking when they go to do exercise, it could be especially dangerous," says Nathan Ruser, analyst with the Institute for United Conflict Analysts. On Strava's map, the Helmand province of Afghanistan shows the layout of operating bases via exercise routes. The base is absent from satellite views on both Google Maps and Apple Maps.

These findings arrive the day after Data Privacy Day, which was created to encourage both individuals and businesses to respect user privacy and protect data. Strava's decision to publish sensitive location data is part of a growing discussion around how companies should handle the massive amount of information they collect on users.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/1/2018 | 12:00:57 PM
Re: Sharing data
@Dr.T: More to the point, I've also found that, for people who engage and share practically nil online, it's much easier to find information out about them online because all that's left on Google are the data harvesters and data sellers -- particularly because the people who don't engage online tend to do a poor job of protecting their privacy beyond the mentality of "Well, I'm maintaining my privacy as long as I'm no on Facebook" (as if privacy and Facebook were correlated in such a binary fashion).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2018 | 8:04:54 AM
Re: Sharing data
@Dr.T: There are more checks and balances on gathering data on citizens directly rather than purchasing it from companies. (See, e.g., that URL from the other comment.)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:45:36 PM
Re: Sharing data
I work to consciously control the flow of information to mitigate things. I do the same, if I feel it is not suppose to be shared with anyone that information does not end up in the internet for me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:44:01 PM
Re: Sharing data
I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work. That is true, it is the same for many of us, we can share willingly since it is not sensitive data.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:42:17 PM
Re: Sharing data
Uphill battle, though, given a population addicted to always online, sharing and comparing. This is a good point. Sharing and comparing is ok but if for sensitive location then we end up with these problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:39:31 PM
Re: Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. Interesting idea. Would government agencies not have the data already?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:38:04 PM
Army location
One thing I am sure everybody knows where the army stations are and where the soldiers practice. You do not need tracking app for that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:52:06 PM
Re: Sharing data
@Brian: For my own part, I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work.

That said, via my writing, my social presences (which I manage by assuming anyone or just about anyone can read what I put -- regardless of my restrictions), etc., I work to consciously control the flow of information to mitigate things.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 12:49:09 PM
Re: Sharing data
@JoeS: "...realistically the best solution is to do what you can to share little with companies to begin with."  That sound advice, worded many different ways, can be found in every security-centric site.  Uphill battle, though, given a population addicted to always online, sharing and comparing. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:16:54 PM
Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. ( See, e.g., this from recent headlines about license-plate location data: theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions ).

We'll see how things change with GDPR, but realistically the best solution is to do what you can to share little with companies to begin with.
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20059
PUBLISHED: 2018-12-11
jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.
CVE-2018-20056
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.
CVE-2018-20057
PUBLISHED: 2018-12-11
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.
CVE-2018-20058
PUBLISHED: 2018-12-11
In Evernote before 7.6 on macOS, there is a local file path traversal issue in attachment previewing, aka MACOSNOTE-28634.
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.