A popular fitness app provided a convenient map for anyone interested in shadowing government personnel who exercised in secret locations, including intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world.
The fitness app, Polar Flow, publicized more data about its users in a more accessible way than comparable apps “with potentially disastrous results,” found Bellingcat and De Correspondent investigators, who released the results of their research on Sunday.
Polar Flow provided functionality that combined all of a person’s exercise sessions on a single map.
“Polar is not only revealing the heart rates, routes, dates, time, duration and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well,” states the report.
Tracing all of that information was very simple through the site, the investigators noted. Find a military base, select an exercise published there to identify the attached profile, and see where else an individual has exercised.
“As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map,” the report notes.
Goldmine of Intelligence
Through the Polar flow app and public information, such as social media profiles, Bellingcat and De Correspondent identified a number of people working in sensitive positions, including the following:
- Military personnel exercising at bases known, or strongly suspected, to host nuclear weapons;
- Persons working at the FBI and NSA;
- Military personnel specializing in cybersecurity, IT, missile defense, intelligence and other sensitive domains;
- Persons serving on submarines, exercising at submarine bases;
- Individuals both from management and security working at nuclear power plants;
- Russian soldiers in Crimea; and
- Military personnel at Guantanamo Bay.
In response to the Bellingcat and De Correspondent findings, Polar Flow temporarily suspended an API at a website that exposed a rich vein of user information.
Polar emphasized that it had not leaked any data and that there had been no breach of private data.
The vast majority of its customers maintained the default private profile and session settings, the company said, and were not affected by the issues described in the report.
Sharing training session and GPS location data is an opt-in customer choice, Polar said.
Still, because potentially sensitive locations were appearing in public data, the company decided to suspend its Explore API temporarily.
Users must assume some of the burden of protecting their data, said Corey Milligan, a senior threat intelligence analyst at Armor.
“Users need to be aware of the kind of data they’re putting out there,” he told TechNewsWorld. “Any data you put out there, whether it’s on Facebook or on an app like this, you need to utilize the security mechanisms that are in place for the application itself, at the very least.”
Consumers Need to Push Security
Initial configurations for many apps can present a problem for consumers, especially those with a minimal interest in security.
“The default on these things is to share information,” said Willy Leichter, vice president of marketing at Virsec.
“If you allow it to share your location, it’s almost never clear where that information is going,” he told TechNewsWorld.
“Once it gets to the app’s server, companies seem to be comfortable sharing it or being creative with it,” Leichter pointed out. “That’s going to change in Europe with the GDPR (General Data Protection Regulation),” he said. “There’s going to be a lot of lawsuits around things like this because you can no longer share information about people without their explicit permission.”
“GDPR is going to make some pretty profound changes come about, especially if the U.S. adopts some kind of GDPR-like regulation to protect data,” added Armor’s Milligan.
Consumers can protect what apps do with their data in another way, suggested Parham Eftekhari, executive director of the Institute for Critical Infrastructure Technology.
“One of the most important things consumers need to do, which no one is speaking about, is start to be vocal with app developers and ask questions about security so that developers understand that security is important and a factor in the buying process,” he told TechNewsWorld.
“When companies start to tie revenue to security, it will become a bigger priority,” said Eftekhari, “and that process will happen more quickly when consumers begin to speak up in greater numbers during the sales process.”
A Familiar Problem
Polar Flow isn’t alone in revealing sensitive information about soldiers and spies. Nathan Ruser, an Australian student studying international security and the Middle East, earlier this year explained how fitness-tracking app Strava could be used to identify the location of Australian military bases and personnel routines.
Information leakage through mobile devices isn’t a new problem for the military, either.
“Mobile devices, given their promise of mobility with rich functionality, are being deployed with broadening use cases throughout the United States Department of Defense,” Jason L. Brooks and Jason A. Goss wrote in a paper for the U.S. Naval Postgraduate School back in 2013.
“All the while, massive quantities of information are stored and accessed by these devices without there being a comprehensive and specialized security policy dedicated to protecting that information,” they added.
The military subsequently adopted regulations governing the use of cellphones and tablets, including a prohibition on bringing personal electronic devices into sensitive areas.