Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Data from running app Strava can be used to pinpoint the location of secret overseas US military bases, even in conflict zones.
  • Strava’s running data can be used to determine which active military personnel are working at particular overseas bases.

The hidden location of secret US military bases, patrols, and forward operating bases (FOBs) could have accidentally been revealed by fitness app Strava.

Nathan Ruser, founding member of the Institute for United Conflict Analysts, initially revealed the information on Twitter, noting that data from Strava’s heat map makes the US bases “clearly identifiable and mappable.” In subsequent tweets, Ruser was able to identify a Russian operating area in Khmeimim and guard patrol, a Turkish patrol, Afghanistan FOBs, and soldier running routes.

The revelation shows some of the dangers inherent with the growth of the Internet of Things (IoT) and unrestrained shadow IT. As noted by Twitter user Jake Williams, Strava users are automatically opted in to sharing their data on the heatmap, and must manually opt-out if they wish to not share that data.

SEE: Information security incident reporting policy (Tech Pro Research)

Many times in the enterprise, lax privacy policies can lead to data leakage that puts IP at risk. In this case, as Williams wrote, the outcome could be much worse.

“App developers take note: the defaults you put in your app can quite literally get people killed (as they almost certainly will here),” Williams wrote on Twitter.

The version of Strava’s heat map that was used in Ruster’s analysis was released in November 2017. According to a Strava blog post, it takes into account data from 1 billion activities and 3 trillion latitude/longitude points (10 TB of data in total). Strava’s privacy policy notes that the data is anonymized, but that doesn’t necessarily mean it is unusable to hackers and cyberattackers.

This information should serve as a wake-up call to security and IT professionals that even seemingly harmless apps–like a fitness tracker–can prove dangerous to your organization. Enterprises need an IoT policy, and it must account for all devices used in connection with the company, not just the ones handling “sensitive” data.

To get a head start on building an IoT policy, check out this template on Tech Pro Research.

Even if the data doesn’t turn out to be useful, the slip up shows a massive oversight in military IT protocol, open-source imagery analyst Scott Lafoy told CNN. In that same report, Pentagon spokeswoman Maj. Audricia Harris said that the US DOD was “reviewing the situation.”

Update: Strava CEO James Quarles released a statement that said the firm is working with military officials to address the issue of sensitive data. The full statement can be read here.