Last week I visited the Spy Museum Berlin. I ran through a laser maze, searched for bugs and decoded messages – it was a lot of fun. Next to that, I learned about the history of espionage from spies in old Egypt, to pigeon photography (yes, this is a thing!) during World War One and Two and double agents during the Cold War. At the very end of the exhibition I stumbled across an interesting piece of modern spy history: Fit Leaking.
In 2018, athlete’s social media site Strava published a global heat map with data of the exercise behavior of their users. Strava is a social network that enables users to meet like-minded athletes. Through the community feeling of the application it motivates users to reach their goals. The social network can be fed with data from fitness trackers based on movement sensors and sometimes GPS chips. That way, information about the traveled distance and the activity performed during the exercise can be tracked (and shared).
In general, a heat map is a graphical representation of data where the values are represented by colors to make it easier to understand the information. We are all familiar with basic forms of heat maps e.g. from reports about election outcomes or the weather forecast.
Strava’s heat map gives an overview of the sport routes of the app’s users. The background color is black, and routes are represented bright. The more activity has taken place in a region, the brighter the area gets. This information might be helpful for city planners, local politicians or sport enthusiasts looking for popular areas to exercise.
Unfortunately, the heat map has major security downsides which were first discovered by student Nathan Ruser. In January 2018, Ruser posted a snippet of the heat map that can be clearly identified as an US Base through Strava’s data.
Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq
— Nathan Ruser (@Nrg8000) January 27, 2018
In conflict regions internet availability is generally low and it’s very likely that users of fitness trackers are not part of the local population. Military and intelligence personnel need to exercise even though there is not much space let alone public sport areas. A typical pattern for military sites is therefore an area with generally low activity (dark) and a high amount of concentrated activity in a confined space.
Ruser’s finding was only the beginning and many more started to identify military bases, diplomatic outposts and intelligence facilities. John Scott-Railton, an online-security researcher, coined the term Fit Leaking.
“When fitness activities, recorded for personal benefit emit into signals that reveal sensitive and confidential information.”– Definition of Fit Leaking by John Scott-Railton, retrieved from his personal blog
As mentioned above, bright activity in dark areas in conflict regions are strong indicators for a military base. This type of information exposed in such an accessible way is a serious operational security risk. The activity map gives valuable insights into patterns of life of people in conflict zones and even information about patrols. In areas with a low density of fitness trackers, it is even possible to identify individual routes e.g. between embassies and residential areas or between different bases.
“In an hour, I was able to use fit leaking to identify several covert and non-declared operating bases, diplomatic outposts, and possible intelligence facilities in several ongoing conflict zones in Africa and the Middle East.”– John Scott-Railton, retrieved from his personal blog
For obvious reasons, the media reported extensively on the instance and several countries might have overthought their policies on wearable devices. But it can always get worse…
Not even six month later in summer 2018 a joint investigation of Bellingcat and De Correspondent revealed that the Finnish company Polar is revealing even more. The social platform Polar Flow belongs to Finnish company Polar who distributes the first wireless heart-rate monitor. Comparable with Strava, users can feed the data of their wearable devices into their app to share their runs with fellow sport enthusiasts and follow-up on their training.
Data includes not only heart rates and pace of exercise but also dates, times and durations. Unlike Strava, Polar’s data visualization includes all sessions of an individual (since 2014) combined in a single map. Especially military personnel can be identified easily by searching a military base and selecting an exercise session. Now one has not only access to the data of the specific session but can identify the attached profile to the session and get information on where else this individual has exercised. Considering regular rotations, it’s not unlikely to also find secret bases following this procedure.
According to the investigators, they found around 6400 users who they believe work at sensitive locations and stumbled across employees of United State’s NSA, British MI6, Russian GRU among others.
So even you are not a spy, you should double-check your fitness tracker’s privacy settings! 😉