GPS data of users’ activities stored by mobile fitness app Strava have been found to contain detailed locations of the UK’s most secretive military bases, including Sandhurst academy and GCHQ.
GPS locations and jogging routes of Strava app users, if not marked private, can be accessed by anyone, including enemy states and those intent on gathering information on military activities.
The fact that Strava app users can view jogging tracks and detailed GPS locations of other athletes and users isn’t unique to the app. As long as joggers and fitness enthusiasts mark their routes and exercise locations as public, their location data will be shared by the app with the rest of its users, thereby letting users share their experiences and discuss new routines.
However, according to security expert Jeffrey Lewis who wrote about the dangers of such location-sharing in The Daily Beast, the feature also allows people to view jogging routes and exercise locations of military personnel who also use the app to track and clock their activities.
‘Because as bad as the publicly available heat map is, the underlying data being freely uploaded to Strava is a security nightmare for governments around the world. Anyone with access to the data could make a pattern of life map for individual users, some of whom may be very interesting to foreign intelligence services,’ he noted.
According to BT, potentially sensitive locations in the UK which were exposed by the app’s heat map included ‘the Sandhurst military academy, GCHQ and HMNB Clyde, where the navy stores its nuclear weapons’.
By tracking locations of and routes taken by military personnel, cyber criminals and enemy states can easily find out where secret military bases are located. At the same time, by tracking GPS heat maps of personnel who serve in sensitive units like nuclear commands, missile bases or intelligence services, such individuals and entities will be able to obtain a list of their locations and will take them out first once war breaks out.
‘Soldiers, remember, rotate from one assignment to the next. Which means Strava can continue to track each user as he or she rotates to the next assignment, burning one secret missile base after another with all those calories. Yes, if our user casually jogging by Taiwanese missiles day-after-day suddenly appears deployed to a new location, well that’s very interesting if you are targeting missiles for China’s Rocket Force,’ Lewis added.
However, he also said that Strava isn’t necessarily at fault here, since the service it provides helps a lot of individuals find perfect jogging tracks and new routines. It is up to individual users to decide if their location data could be misused by malicious people and to mark such data private to ensure that nobody could access such data.
‘So think about it before you upload your run through a sensitive military site. You might well be providing an adversary with information that could be used to kill you. Or not. But either way, go ahead and take that run. You’ll want to leave a good lookin’ corpse if at all possible,’ he said.