Data on soldier's running patterns, captured by fitness app Strava, details the whereabouts of secret military bases.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Data from running app Strava can be used to pinpoint the location of secret overseas US military bases, even in conflict zones.
- Strava's running data can be used to determine which active military personnel are working at particular overseas bases.
The hidden location of secret US military bases, patrols, and forward operating bases (FOBs) could have accidentally been revealed by fitness app Strava.
Nathan Ruser, founding member of the Institute for United Conflict Analysts, initially revealed the information on Twitter, noting that data from Strava's heat map makes the US bases "clearly identifiable and mappable." In subsequent tweets, Ruser was able to identify a Russian operating area in Khmeimim and guard patrol, a Turkish patrol, Afghanistan FOBs, and soldier running routes.
The revelation shows some of the dangers inherent with the growth of the Internet of Things (IoT) and unrestrained shadow IT. As noted by Twitter user Jake Williams, Strava users are automatically opted in to sharing their data on the heatmap, and must manually opt-out if they wish to not share that data.
SEE: Information security incident reporting policy (Tech Pro Research)
Many times in the enterprise, lax privacy policies can lead to data leakage that puts IP at risk. In this case, as Williams wrote, the outcome could be much worse.
"App developers take note: the defaults you put in your app can quite literally get people killed (as they almost certainly will here)," Williams wrote on Twitter.
This information should serve as a wake-up call to security and IT professionals that even seemingly harmless apps—like a fitness tracker—can prove dangerous to your organization. Enterprises need an IoT policy, and it must account for all devices used in connection with the company, not just the ones handling "sensitive" data.
To get a head start on building an IoT policy, check out this template on Tech Pro Research.
Even if the data doesn't turn out to be useful, the slip up shows a massive oversight in military IT protocol, open-source imagery analyst Scott Lafoy told CNN. In that same report, Pentagon spokeswoman Maj. Audricia Harris said that the US DOD was "reviewing the situation."
Update: Strava CEO James Quarles released a statement that said the firm is working with military officials to address the issue of sensitive data. The full statement can be read here.
- The secret to being a great spy agency in the 21st century: Incubating startups (TechRepublic)
- How Strava's "anonymized" fitness tracking data spilled government secrets (ZDNet)
- Cyberwar and the Future of Cybersecurity (ZDNet)
- Cyberwar: The smart person's guide (TechRepublic)
- How the evolution of wearables has changed security requirements (ZDNet)
- The dark side of wearables: How they're secretly jeopardizing your security and privacy (TechRepublic)