Unidentified operatives have used the fitness-tracking app Strava to spy on members of the Israeli military, track their movements at secret bases across the country, and potentially observe them as they travel the world for medical reasons. official.
By placing fake running ‘segments’ inside military bases, the operation – whose affiliation has not been discovered – was able to keep tabs on people training on the bases , even those that have enforced the strictest possible account privacy settings.
In one example seen by the Guardian, a user operating at a top-secret base believed to have ties to Israel’s nuclear program could be tracked through other military bases and to a foreign country.
The surveillance campaign was uncovered by open-source Israeli intelligence service FakeReporter. The group’s executive director, Achiya Schatz, said: “We contacted the Israeli security forces as soon as we became aware of this security breach. After receiving approval from security forces to continue, FakeReporter contacted Strava and they formed a leadership team to resolve the issue.
Strava’s tracking tools are designed to allow anyone to define and compete on “segments”, short sections of a run or bike race that can be regularly covered, such as a long climb on a popular bike path or a single circuit of a park. Users can define a segment after downloading it from the Strava app, but can also download GPS records from other products or services.
But Strava has no way of knowing if these GPS uploads are legitimate and allows anyone to set a segment by uploading – even though they may not have been to the location they are tracking. In fact, some uploaded segments are clearly artificially generated, with average paces of hundreds of miles per hour, unnaturally straight lines, and instantaneous vertical cliff-top jumps all recorded.
Some of these fake uploads may have been used for the purpose of cheating in friendly competitions or creating a segment to guide others: but at least one set appears to have a more malicious purpose. An anonymous user, whose location is given as “Boston, Massachusetts”, had set up a series of fake segments at a number of military establishments in Israel, including outposts of the country’s intelligence agencies and highly secure bases believed to be associated with its nuclear. program.
“By exploiting the ability to download engineering files, revealing details of users anywhere in the world, hostile elements have taken a step closer to exploiting a popular application to harm the safety of citizens and countries,” Schatz said.
The fake segment approach also bypasses some of Strava’s privacy settings. Users can set their profiles to be visible only to “followers”, preventing prying eyes from tracking their movements over time. But unless they also set each individual race as actively secure, their profile picture, first name, and initial will appear on the segments they have raced, in the spirit of friendly competition. With enough segments scattered across the map, individuals can still be identified: a user, for example, tracked his participation in a publicly advertised race, which he won, as well as his race in secure military establishments.
In a statement, the fitness company said, “We take privacy issues very seriously and have been notified by an Israeli group, FakeReporter, of a segment issue regarding a specific user account and have taken action. necessary to remedy this situation.
“We provide easily accessible information about how information is shared on Strava and give each athlete the opportunity to make their own privacy selections. For more information on all of our privacy controls, please visit our center confidentiality as we recommend that all athletes take the time to ensure that their selections in Strava represent the experience they want.
The discovery echoes a scandal from 2018 when a new Strava feature released a visualization of all activity on the fitness tracking platform across the globe. The heatmap showed popular running, biking and swimming routes, and an announcement from Strava pointed out that it could be used to scout out places like the Ironman triathlon route in Hawaii. But he also mapped out less public routes: the location and layout of several military bases in Afghanistan’s Helmand province were clearly visible, as was a popular outdoor swimming spot next to RAF Mount Pleasant in the Falkland Islands. The map even recorded the route of a lone cyclist in Area 51, Nevada.
Strava’s response to the uproar was to advise military users to opt out of its viewing, arguing that the information was made public by the users who uploaded it. Echoing the latest privacy vulnerability, some users have been tracked in alarming detail: A US Air Force service member may have been tracked on a tour to Djibouti, where she walked the loop of 7 km from the runway, to an air base in Germany where it was transferred in 2016.