Another Security Breach: Fitness Trackers That Track Things Way Beyond Fitness
Another day, another privacy breach. This time, it’s not Facebook knowing what you eat for breakfast, or a shopping mall that rats you to the cops. This time, it’s a James Bond movie came to life that turned the tables for the society. Usually, you’re the one that has no idea as to being watched and traced by a website. Now, it seems that you could be the one who watched and traced top secret things, again without having a slightest idea.
A recent investigation led jointly by Bellingcat and De Correspondent exposed that Polar, a global fitness-focused company best known for rolling out the world’s first wireless heart rate monitor, revealed the location of top secret locations, like military or nuclear sites as well as their homes. Though, it was done rather unintentionally while tracking the GPS location of its users’ activities on their website, Polar Flow.
Involuntarily Declassification of Secret Information
Polar Flow was originally created as a social platform for people to share their exercises and track the results. One of the features is an “Explore” map, where users could see the activity of basically everyone in the world regardless of the profile settings. The information about one’s most used routes for jogging, the duration of each particular exercise session, heart rate data, and much more was available to anybody who spent a couple minutes to set up a Polar user profile. Unfortunately, when the subject of the data in question works for the military or some secret service, such a seemingly innocent sharing may reveal sensitive information, such as their own homes, daily routines, and even secret facilities locations. Moreover, through some manipulation, Polar displayed all the exercises since 2014.
Tracking information concerning the military personnel using “Explore” service was easier than it seems:
- First, you manually navigate to any location using Google Maps. For interesting results, pick a war zone, a military base or a secret service headquarters (such locations can be easily found using Wikipedia).
- Then, click on activities performed in the area to see the attached profiles.
- Choose one of them and then see where that person has also been exercising. All over the world. On the same map.
Hence, any user could check a military officer deployed to any location in the world, how long they were there, and even track them back to their homes and families. Savvy, right?
Polar’s map based on individualized data, showing exercises done by a person in the Middle East and the United States. Source: Bellingcat
The joint investigation of Bellingcat and De Correspondent led to the following conclusion:
“In [website’s] current form, it is not difficult to find the time of deployment, home, photograph, and the function of a soldier in a conflict zone. It does not take much imagination to see how this information could be used in dangerous ways by extremists or state intelligence services.”
By doing a “a little clever searching through the online map” the investigators were able to identify persons working at the National Surveillance Agency (NSA) and U.S. Secret Service, British MI6 agents, Russian soldiers in Crimea, and many other people whose service requires certain secrecy. Just by being smart enough, they managed to find information about 6,460 users who exercised near restricted locations, and successfully retrieved their real-life identities.
Here is how they searched for specific locations. Source: De Correspondent
After the issue has been exposed to the public, Polar seemed to take immediate action by disabling the Explore API until they figure out how to deal with the situation. In the open statement the company also highlighted that there was neither a leakage nor a breach of data. That is, they were denying the responsibility for sharing such sensitive information. The company emphasized that default privacy settings did not allow other users to access this information.
“Google Maps blurs out all detail at Kamp Holterhoek in the Netherlands. But Polar’s map gives us a way to find out more.” Source: De Correspondent
The Polar’s case might be very disturbing, especially for the intelligence agencies. However, it is not the first time when fitness tracking went far beyond the limits of what it should track.
Strava: Another Case of Sensitive Data Exposed
Back in January, Strava, a suite of a GPS tracking system and client apps, hit the headlines with their heatmap that contained 13 billion GPS data entries pointing out, among other things, the locations of secret military bases and other facilities that had been classified for a reason. The problem was not identified until a couple of months later, when Nathan Ruser, an Australian international security student, spotted that Strava’s global heatmap made it possible to detect locations of classified sites.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
Unlike Polar, Strava’s the data was not that easily identifiable. Yet, the map provided the possibility to see the “heat tracks” in low density areas. Using this knowledge, anyone could identify the routes and locations of military personnel in places like war zones, where such knowledge might be decisive.
Here are some FOBs in Afghanistan. pic.twitter.com/JoB7hKHwyh
— Nathan Ruser (@Nrg8000) January 27, 2018
Also, the information was supposed to be anonymized. However, pieces like first or last names was found to be pretty easy to access. To illustrate, Steve Loughran, a computer scientist and developer, posted a detailed instruction on how to deanonymize the data using a bit of code through Strava’s official website.
To address the concerns raised, James Quarles, Strava’s CEO, published an open letter, where he admitted the company’s responsibility for poor data protection, but not the intentional misuse of the data. He also noted:
“We are reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.”
The situation urged other stakeholders to react. Since such tracking apps are usually connected to tangible devices, such as fitness trackers, phones or smart watches, their manufacturers could also be potentially harmed. As reported by the Washington Post, Fitbit, one of the companies specialized in fitness trackers production, issued a statement on Strava’s case noting that only those users who signed up for Strava and synchronized it with their Fitbit accounts could’ve been affected if no measures are taken to restrict privacy settings. The statement stressed that “Fitbit devices do not automatically connect to the map. The vast majority of Fitbit users are not Strava users and would not be included in Strava’s data set.”
The cases of both Polar and Strava obviously raised multiple concerns about the data protection.
Everything That You Put Online Can and Will Be Used Against You in Real Life
In most cases, the fact that users make some of their personal data public does not pose a threat to their privacy. The problem is that the information in question can later add up to some other data, eventually allowing one to analyze the data and get somewhat unexpected results. For example, knowing a user’s frequent start and end points of a run, one can deduce the user’s home address. Or, knowing the times of the runs, it’s also easy to identify when a user is not at home. Therefore, if one has many data points referring to a specific person, it is easy to shape their behavioural model with stunning and frightening precision.
In her commentary to the Wired, Beyza Unal, a research fellow at Chatham House’s International Security Department, said that “if you can have access to the personnel training and exercises then you also have information about where this person is and when does he or she do certain activities. That could lead to getting patterns about the personnel training, that pattern is important for operational military sake. If you are an enemy or adversary you may want to use certain information that you did not have beforehand.”
Unfortunately, the reality is not far from the proposed scenario. As reported by the Washington Post, the news about the exposure of US military personnel caught the attention of the online Islamist militant community. Telegram, as a popular social messenger among the community, was used to share the relevant information in at least one pro-Islamic State Telegram channel. Steven Stalinsky, executive director of the Middle East Media Research Institute, also told the Washington post that it “should be expected” that such groups will attempt to take advantage of any vulnerabilities.
Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, California, US, also commented on Twitter:
This is where I politely remind @Strava that it is sitting on a ton of data that most intelligence entities would literally kill to acquire. https://t.co/tKcf1nnov1
— Jeffrey Lewis (@ArmsControlWonk) January 28, 2018
Tobias Schneider, a Berlin-based security analyst, conducted a little experiment. Using the accessible information he was able to find out the names of nearly 600 people jogging around the British intelligence service HQ and, subsequently, associate them with the agency. In a commentary to the Washington Post he said that “once you can identify individuals, the data becomes a lot more valuable. You could for example identify somebody who works at a known secret facility and then track his movements to other facilities through which he may rotate.”
The users suggested that Strava, for example, occasionally fails to maintain privacy security settings and switches profiles off the “enhanced security mode”. Also, they pointed out that there are numerous difficulties to opt out of making some information public when they use many in-app offers.
At the same time, companies creating wearables have been keeping up with the necessary regulation. Fitbit, for example, started with the minor changes, such as making users opt in to share their data, rather than making the sharing option turned on by default. Additionally, in 2015, they have adopted a compliance regime with the Health Insurance Portability and Accountability Act (HIPAA), the US federal law that sets out privacy and security regulation for medical information. Even though the law itself is not applicable to wearables, Fitbit had to do so in order to partner with corporate wellness programmes.
Truth be told, there are also internal military codes of conduсt that should be taken into account. When a serviceman uses a device or a software that may be sharing some of their information online, they must follow specific rules. For example, in the UK there are guidelines in place to prevent unintentional location sharing in the first place. Similar regulation exists for the US Marines corps.
Since the issue is pressing, the relevant bodies seem to take a proactive stand in updating their policies. For example, Army Col. Robert Manning III, the Pentagon spokesman, told the Washington Post in a commentary:
“Recent data releases emphasize the need for situational awareness when members of the military share personal information. We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DOD personnel at home and abroad.”
Tim Mathews, who has served in the US military, also said on Twitter:
All this discussion of Strava data is mind-blowing to me. On my deployments, if you used any non-military issue device with GPS tracking, or a non-secure communication device, it was an Article 15. And we weren’t covert CIA spooks. We were just infantrymen using common sense.
— Tim Mathews ⚖️ (@timmathews) January 29, 2018
As a part of their investigation, De Corresponded gave their readers a piece of advice as to how they could make sure their privacy settings don’t actually compromise anything important.
After the Facebook incident, it seemed that no data leakage could top that. However, it looks like even simpler technologies that we always feel confident about most of the time still manage to take us by surprise. So, that little fitness tracker or a smart watch on your wrist may actually reveal much more than your really-not-that-public social network profile.
“The underlying problem is that the devices we wear, carry and drive are now continually reporting information about where and how they are used ‘somewhere’,” Loughran, the guy who showed how to mess with Strava, said. Thus, bit by bit, an averagely smart person that is capable of dealing with a regular computer can track not only for how long or where we run, but also form a complete report about the way we behave.
Probably, the worst thing is that it is not entirely the fault of the companies. Obviously, if they fail to bring some non-obvious features of their software to the user’s attention, it’s not right, but at the end of the day, it is solely up to us to be intelligent enough to press the right button when asked “Would you like to share your location?”
Follow us on Twitter to stay tuned on the recent developments in regulation of new technologies, and be the first to read expert opinions.