Strava, a fitness tracking application that logs users' movements as they cycle, surf, or jog, has accidentally exposed or confirmed the location of various military bases and facilities all over the world.
The so-called leak is not an accident, but something intentional. Last November [1, 2], Strava published an interactive map with over 13 trillion GPS points from all its users. The map was meant to impress potential users regarding the large number of people around the globe that were already using the app to track their fitness sessions.
Instead, over the past weekend, this interactive map turned into an intelligence gathering ground after Nathan Ruser, an analyst with the Institute for United Conflict Analysts, noticed how the map also highlighted military bases, which sometimes stood out as hotspots of intense fitness activity in the middle of remote areas.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq— Nathan Ruser (@Nrg8000) January 27, 2018
Not just US bases. Here is a Turkish patrol N of Manbij pic.twitter.com/1aiJVHSMZp— Nathan Ruser (@Nrg8000) January 27, 2018
You can see the Russian operating area in Khmeimim, but also the guard patrol to the NE. pic.twitter.com/iWiX5Kozc1— Nathan Ruser (@Nrg8000) January 27, 2018
Here are some FOBs in Afghanistan. pic.twitter.com/JoB7hKHwyh— Nathan Ruser (@Nrg8000) January 27, 2018
Since Ruser's first discovery, social media has been ablaze with this subject, with countless of military, political, and privacy experts combing the Strava map for new bases or to confirm rumors of older military facilities.
Everybody got the treatment, not just the US and Russia. New bases were discovered or confirmed for North Korea, China, Turkey, Iran, Australia, the UK, and others.
Worth browsing a bit. Three positions around the US outpost at Tanf: pic.twitter.com/jS7S4LR2QS— Tobias Schneider (@tobiaschneider) January 27, 2018
My focus is on Syria, but obviously works all over. French military base Madama in Niger: pic.twitter.com/1e9SRR73xS— Tobias Schneider (@tobiaschneider) January 27, 2018
So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI— Tobias Schneider (@tobiaschneider) January 27, 2018
Mount Yamantau, accusations by the United States that a secret extensive bunker complex of the Russian government or Russian Armed Forces is contained within the mountain, equivalent to the Cheyenne Mountain Complex. Make sure you turn of your FITBIT when entering please. pic.twitter.com/wGWnY6nZSs— four (@FourOctets) January 29, 2018
Cross-referencing @mjranum's recent post about using Google Maps to identify CIA "Black" sites in Djibouti, with the #Strava heat-map, appears to offer corroboration https://t.co/PfXDqRIvSS pic.twitter.com/GlxWOoKWcj— Alec Muffett (@AlecMuffett) January 28, 2018
Pretty faint but data from the Strava exercise app shows like China has deployed joggers to its disputed Woody Island in the South China Sea, in addition to fighter jets and HQ-9 SAMs pic.twitter.com/HG6zkb8tcw— Adam Rawnsley (@arawnsley) January 27, 2018
Looks like someone has been using Strava while sailing through the disputed Paracel Islands. Note to self: see if you can chart freedom of navigation apps by seeing if someone left their Fitbit on. pic.twitter.com/HHYQ15BsbF— Adam Rawnsley (@arawnsley) January 27, 2018
Pretty nice running route for someone at Iran's Chabahar Air Base. IIRC, Shahed-129, Iran's take on the Predator, has been spotted in the hangar next door. pic.twitter.com/p8BLvQbAZM— Adam Rawnsley (@arawnsley) January 27, 2018
Some heavy jogging activity on the beach around what looks like the reported CIA annex at Mogadishu airport pic.twitter.com/1OLP8zWKGl— Adam Rawnsley (@arawnsley) January 27, 2018
By far the strangest thing I've seen in the #strava heatmap in North Korea, this doesn't line up with any visible roads or paths, almost like it's underneath the ground... East of Pyongyang. pic.twitter.com/McJjFxZhvf— Entscheidungsschlacht (@austinnelsen) January 28, 2018
This is Strava fitness tracker data at HMNB Clyde, a military base where Britain's nuclear weapons are stored. How are the security checks so bad in these places, that employees are allowed to bring arbitrary electronic devices in close proximity to nukes? https://t.co/5BtgiZ4NNK pic.twitter.com/e9mQpPbGD4— Mustafa Al-Bassam (@musalbas) January 29, 2018
You can literally spend less than a minute on Stravas new data service and find sensitive sites. Nice patriot position you have there pic.twitter.com/eYS8TOuT0F— Lost Weapons (@LostWeapons) January 27, 2018
Some experts also argue that these routes may not include just exercise tracks and fields only, and may even show patrol routes for military users who forgot to turn off the app. If true, exposing patrol routes could have far more dangerous consequences for the safety of those individuals.
This massive leak of military intel happened because military personnel turned on their Strava app to work out while at bases.
The app allows users to set up so-called "privacy zones," rectangular areas where the app automatically turns off and doesn't collect GPS info. These zones can be placed over the user's home or work locations to safeguard personal data.
Because these zones are unique to each user, they need to be set up before using the app. The problem is that very few users know of them, as the app doesn't prompt users about it during the onboarding process.
"A lot of people are going to have to sit thru lectures come Monday morning," said Tobias Schneider, a Middle East political analyst.
But this intense prodding over the weekend has unearthed other problems as well. Privacy experts have also warned Strava that by listing top performers for popular tracks or segments, an attacker could infer a user's exercise routes based on known usernames.
The Strava app got the attention it was seeking last November, but just not the one it was expecting.