Fitness apps are proving to be a lot less beneficial to military security than they are for military fitness. That after researchers in the Netherlands discovered that data from the Polar fitness app revealed the homes and habits of those exercising in clandestine locations around the world, including intelligence agencies, military bases, nuclear weapons storage sites and embassies.
The report is the second time researchers have been able to glean sensitive military information including the locations of military personnel using a fitness app. If you remember back in January, heatmaps from the Strava fitness app not only revealed the location of military bases, but researchers also were able to trick the app into revealing the name of soldiers and other personnel on those bases.
Now a collaboration between investigative website Bellingcat and Dutch news agency De Correspondent has discovered another fitness-app breach, which goes even further than the Strava debacle, researchers revealed.
De Correspondent journalists Maurits Martijn, Dimitri Tokmetzis, Riffy Bol and Bellingcat’s Foeke Postma outline the extent of the breach in several articles categorized as “Project Polar”on the De Correspondent website, detailing how researchers easily exploited the Polar app to uncover sensitive information. Postma also summarized the team’s methodology and findings in a blog post on Bellingcat.
“Our research exposes an existing and great risk, namely that Polar and other fitness apps can unintentionally reveal the names and addresses of people who absolutely must not be known,” journalists wrote in one of four articles. “This can endanger lives of soldiers or their families, compromise military missions or threaten national security. These people actually have something to hide.”
Specifically, researchers located 6,460 individuals with 69 different nationalities in more than 200 sensitive locations including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali and bases in Afghanistan, Saudi Arabia, Qatar, Chad and South Korea, they said.
Agencies with personnel and addresses identified using Polar include the National Security Agency and the Secret Service in the United States; the GCHQ and MI6 in the United Kingdom; the GRU and SVR RF in Russia; the DGSE in France; and Holland’s own Military Intelligence and Security Service, MIVD, researchers said.
[You might like: Opinion: With Internet of Things, Devices become Insider Threat]
Researchers also discovered names and addresses of employees of nuclear storage sites, high-security prisons, military airports where nuclear weapons are stored and drone bases, they said.
When contacted by Security Ledger, Martijn declined to comment specifically on the project, referring us to the articles published on De Correspondent.
Devil is in the (map) details
Similar to the Strava incident, the Dutch team dug up its treasure trove of sensitive data using a common feature of fitness apps–maps showing user activity. In this case it was Polar’s website Polar Flow, a social-media platform on which app users can share their runs, and a feature called Explore.
“Compared to the similar services of Garmin and Strava, Polar publicizes more data per user in a more accessible way, with potentially disastrous results,” Postma wrote.
The particular map used by researchers shows all of the sporting activities of Polar users since 2014, combining details such as heart rates, routes, dates, time, duration, and pace of exercises. Researchers found that the map shows not only this activity being broadcast from bases and other sensitive military locations, but also from their homes.
“Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised,” Postma wrote. “As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map. Users often use their full names in their profiles, accompanied by a profile picture–even if they did not connect their Facebook profile to their Polar account.”
In a statement published online, Polar expressed concerned about the security breaches while stressing that they aren’t the company’s fault, nor has there actually been any actual data leaks. Indeed, even the researchers acknowledged that they kept the number of people who have access to the information small and have yet to provide any data to the Dutch Ministry of Defense or other security experts or media. .
Polar defended itself by noting that the vast majority of Polar customers maintain the default private profiles and private sessions data settings of the app and its related services, and therefore “are not affected in any way by this case.”
“While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API,” the company said. in its statement.
Polar said it’s evaluating its options to allow customers to continue to use the Explore feature of Polar Flow while perhaps “taking additional measures” to remind customers it may not be the best idea to share GPS files of sensitive locations.
Potential for serious leaks demand serious attention
To some, the data uncovered by the Dutchies may not seem like a huge deal, given that most people won’t be sniffing around a fitness app for secret military locations, researchers maintain that it’s nothing to be sneezed at.
Researchers were, for example, able to use a few clicks to track down the name of a “high-ranking officer” at a base known to host nuclear weapons, they said.
The app also revealed a rather alarming amount of information about Dutch soldier stationed in Erbil, a city in northern Iraq that is a known stronghold for the fight against the Islamic State terrorist group. Researchers learned not only his location, but that he wears a Polar V800 digital watch, is a part of the Capacity Building Mission in Iraq, and he likes to run along a runway of the Erbil airport.
The researchers hope that by demonstrating how easy it is to obtain private information like this through Polar and other fitness apps, it will “shake up governments and employers” and spur them to think hard about the use of these apps among their personnel given the security holes they open in an otherwise heavily secured environment.
“Do they have any idea what security measures are being undone by sloppy app use?” researchers wrote in one of the De Correspondent articles. “Are the existing measures well controlled and maintained?”
They also hope to “wake” technology companies creating “beautiful apps” without thinking about the sensitivity of the data they collect, especially with the advent of the Internet of things and connected devices.
“They overestimate the knowledge about this among their users and are difficult to incite to take serious protective measures,” researchers wrote.