Several years ago, Strava, a data-hungry, fitness-cum-social network app, published a heatmap showing every activity ever logged, over 3 trillion data points. Neat, right? It was. Problematic, too. The visualization appeared to give away the location of secret U.S. Army bases and spy outposts in locations like Afghanistan and Syria.
The company caught a lot of flack for the heatmap, and in response, San Francisco-headquartered Strava published a blog post urging users to review their privacy settings and said it would review “features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.” It didn’t elaborate further on what features it reviewed nor did it whether the review prompted any specific changes. In other words: Everything is fine, Strava seemed to promise.
Ah, well. A new report from FakeReporter, a group of Israeli cybersecurity researchers, shows how another group-challenge feature within Strava was used likely exploited by a malicious party—the researchers aren’t sure who—to glean information about Israeli soldiers at six bases throughout the country. Even users who had limited who could see their Strava profiles had their names exposed.
“The fake user was able to use this breach to learn more about the bases and about the personnel and agents there, many from Israel’s top security forces,” says Achiya Schatz, FakeReporter’s executive director.
It’s the only such incident FakeReporter found, but the researchers believe it’s plausible—even likely—that someone has used the same ploy to rake up user information beyond the 2018 incident in Israel. FakeReporter’s conclusions demonstrate how difficult it can be for even well-intentioned users to protect their identities, a problem going much past Strava with location-tracking almost a default among mobile apps today. Like many other companies, Strava has seemed to prefer to leave the responsibility for safeguarding personal information to the users: presenting the options for securing an account but making the process uninviting. Strava is likely reluctant to establish higher security settings since those features might make its technology less enjoyable and less shareable. Which would mean, in the end, fewer users.
Here’s what the FakeReporter crew found. An out-of-the-blue tip sent through the researchers’ website urged them to examine several uses of Strava’s Segment feature in Israel. The Segment tool allows any user to set up a map-based physical challenge—like, say, a five-mile run around a lake—and establish a publicly viewable leaderboard, available to all Strava users. (The app’s basic version is free. A $59.99 annual subscription gets you access to additional, premium features.) The tip suggested FakeReporter examine a half-dozen Segments connected to Israeli military installations, challenges first uploaded to Strava in 2018. When the FakeReport staff looked at the Segments, it was immediately obvious to the researchers that the anonymous user who created them hadn’t ever been there in Israel or completed any of those activities.
Obvious how? For starters, the user logged runs in straight, geometrically perfectly lines. No one really runs like that. Moreover, the user did things like complete a roughly three-quarter mile run in zero seconds. At an Israeli Air Force base, the user ran 2.5 miles in 4 minutes. The world record for a mile run is 3 minutes and 43 seconds. So either the anonymous Strava user had absolutely shattered the mark established by Moroccan runner Hicham El Guerrouj in 1999 or none of it was real at all.
Rather, the Segments seemed like an attempt for the anonymous user to attain an ever-updating list of Israeli soldiers and military personnel, who might log into Strava and use the Segments for their workouts. That’s exactly what happened, FakeReporter found. Those Segments eventually amassed dozens of users. Even Strava users who had limited who could see their public profiles had their names listed in the Segments’ leaderboards. To prevent that, they would’ve needed to additionally fiddle with their accounts’ settings, changing the “Activities” function to stop personal information being shared in Segments. (Strava’s default option, naturally, is a completely public account. The more you broadcast about yourself, the more interact, the more you use Strava—presumably, the more likely you are to pay for Strava’s annual subscription.)
So the heatmap? Yeah, that was bad. But Segments pose an even greater security risk. The map showed, generally, where the military might be. Segments produce a specific list of the people in the military.
Taking the names from the fake Segments, FakeReporter could quickly find more personal details about the Israeli soldiers, including family members, home addresses, colleagues and travel history. Altogether, FakeReporter identified at least 100 Israelis through the Segments.
It’d be unfair to place all the blame on Strava for the security lapse. Some of it inherently does rest with the people using the app, especially, say, highly trained and educated Mossad officers who should, theoretically, know better. “What we’re talking about is a combination of both stupid Israeli agents and not the most intuitive security practices and privacy settings,” Schatz says.
After FakeReporter notified Strava about the fake Segments in Israel two months ago, the company removed them. But it hasn’t changed the core mechanics that made the breach possible: the ability for anyone to upload a Segment anywhere even if they aren’t physically there. “Any country in the world is vulnerable to this manipulation,” Schwatz says.
Forbes – Social Media