2 min read

Israeli military personnel spied on via Strava fitness-tracking app

Graham CLULEY

June 22, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Israeli military personnel spied on via Strava fitness-tracking app

The Strava fitness-tracking app is being used to spy upon members of the Israeli military, tracking their movements at secret bases across the country and potentially even help observe their activities when they travel overseas.

That's the finding of FakeReporter, an Israeli open-source intelligence operation, which says it identified the surveillance campaign was used to gather data on at least 100 individuals who exercised at six secret military bases.

The popular Strava app allows fitness fanatics to define "segments" - portions of road or trail where athletes can compare times.  Segments can be created either directly through the Strava app. or by uploading GPS data from other services.

However, Strava has no way of knowing whether GPS data uploaded to its service to create a segment is legitimate or not.

And it's one set of such seemingly faked segments - made by a user who gave their location as Boston, MA, but uploaded fake segments at Israeli military establishments, intelligence agency outposts, and supposedly secure bases associated with Israel's nuclear programme - which have rung alarm bells.

In a series of tweets, FakeReporter claims that the personal information of users’ serving in the classified facilities was exposed, including details of their family members, colleagues, home addresses, and overseas travel history.

As a consequence, individuals working undercover could be identified, and national security could be jeopardised, argues FakeReporter.

"By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike," FakeReporter's executive director Achiya Schatz told The Guardian.

Worryingly, the surveillance technique manages to bypass some of the privacy features built into Strava.  For instance, although Strava users can set their profiles to be visible to “approved followers only”, individual runs must be individually secured or else a user's profile picture, first name and initial are shown on segments to encourage others to compete.

With enough segments scattered across the map, individuals can still be identified: one user, for instance, tracked their participation in a publicly reported race, which they won, as well as running in secure military establishments.

For its part, Strava says that it takes user privacy "very seriously", and allows users to make individual choices about what they decide to share.

"We recommend that all athletes take the time to ensure their selections in Strava represent their intended experience," says the company.

Back in early 2018, Australian researcher Nathan Ruser revealed that a new Strava heatmap feature was unwittingly revealing the movement patterns of security forces at military bases around the world, as soldiers jogged and patrolled.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns
Filip TRUȚĂ

August 05, 2022

2 min read
Keeping Your PayPal Account Safe: A Brief Guide Keeping Your PayPal Account Safe: A Brief Guide
Vlad CONSTANTINESCU

August 05, 2022

3 min read
35,000 GitHub Repository Clones Tainted with Malware 35,000 GitHub Repository Clones Tainted with Malware
Vlad CONSTANTINESCU

August 04, 2022

2 min read