2 min read

Israeli military personnel spied on via Strava fitness-tracking app

Graham CLULEY

June 22, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Israeli military personnel spied on via Strava fitness-tracking app

The Strava fitness-tracking app is being used to spy upon members of the Israeli military, tracking their movements at secret bases across the country and potentially even help observe their activities when they travel overseas.

That's the finding of FakeReporter, an Israeli open-source intelligence operation, which says it identified the surveillance campaign was used to gather data on at least 100 individuals who exercised at six secret military bases.

The popular Strava app allows fitness fanatics to define "segments" - portions of road or trail where athletes can compare times.  Segments can be created either directly through the Strava app. or by uploading GPS data from other services.

However, Strava has no way of knowing whether GPS data uploaded to its service to create a segment is legitimate or not.

And it's one set of such seemingly faked segments - made by a user who gave their location as Boston, MA, but uploaded fake segments at Israeli military establishments, intelligence agency outposts, and supposedly secure bases associated with Israel's nuclear programme - which have rung alarm bells.

In a series of tweets, FakeReporter claims that the personal information of users’ serving in the classified facilities was exposed, including details of their family members, colleagues, home addresses, and overseas travel history.

As a consequence, individuals working undercover could be identified, and national security could be jeopardised, argues FakeReporter.

"By exploiting the capability to upload engineered files, revealing the details of users anywhere in the world, hostile elements have taken one alarming step closer to exploiting a popular app in order to harm the security of citizens and countries alike," FakeReporter's executive director Achiya Schatz told The Guardian.

Worryingly, the surveillance technique manages to bypass some of the privacy features built into Strava.  For instance, although Strava users can set their profiles to be visible to “approved followers only”, individual runs must be individually secured or else a user's profile picture, first name and initial are shown on segments to encourage others to compete.

With enough segments scattered across the map, individuals can still be identified: one user, for instance, tracked their participation in a publicly reported race, which they won, as well as running in secure military establishments.

For its part, Strava says that it takes user privacy "very seriously", and allows users to make individual choices about what they decide to share.

"We recommend that all athletes take the time to ensure their selections in Strava represent their intended experience," says the company.

Back in early 2018, Australian researcher Nathan Ruser revealed that a new Strava heatmap feature was unwittingly revealing the movement patterns of security forces at military bases around the world, as soldiers jogged and patrolled.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New Chromebook Exploit Lets Users Unenroll Managed Devices New Chromebook Exploit Lets Users Unenroll Managed Devices
Vlad CONSTANTINESCU

February 02, 2023

1 min read
BBB Warns Social Security Beneficiaries of Cost of Living Adjustment Scams BBB Warns Social Security Beneficiaries of Cost of Living Adjustment Scams
Alina BÎZGĂ

February 01, 2023

2 min read
Planet Ice hacked! 240,000 skating fans' details stolen Planet Ice hacked! 240,000 skating fans' details stolen
Graham CLULEY

January 31, 2023

2 min read