Russian authorities appear to be systematically messing with GPS and other GNSS signals in multiple locations, a new report from the Center for Advanced Defense Studies concludes (CBS News, Foreign Policy, Moscow Times, Wired). The tactic is called GPS spoofing: broadcasting a false GPS/GNSS signal in a specific location to fool GPS/GNSS receivers and render them unreliable or unusable. The incidents appear to correlate with sensitive Russian facilities, active combat zones, and the travel itinerary of one Vladimir V. Putin. In one case, while Putin was opening a bridge between Russia and Crimea, nearby ships were suddenly informed by their GPS/GNSS receivers that they were dozens of kilometres away from their actual position.
In the wake of reports that fitness apps’ user data was exposed and could be used to identify military and intelligence personnel in sensitive areas like bases and deployment zones, U.S. military and defense employees can no longer use geolocation features in devices and apps in operational areas. The new policy was announced last Friday. Also see coverage at Stars and Stripes. [Gizmodo]
Previously: Strava Heat Map Reveals Soldiers’ Locations; Non-Anonymized Strava User Data Is Accessible; Strava, Responding to Security Concerns, Disables Features; Polar Flow User Data Can Be Used to Identify Military and Intelligence Personnel.
Remember how in January the mobile fitness app Strava was found to reveal the training routes and user data of military and security personnel? It wasn’t just Strava. A joint investigation by Bellingcat and De Correspondent found that the data for users of the Polar Flow app is even more exposed: even the names and home addresses of military and intelligence personnel working at embassies, bases, intelligence agencies and other sensitive locations could be figured out from the user data. De Correspondent shows how.
Polar, the Finnish company behind the app and service, announced that they were suspending the Explore feature that made the data accessible. They also note, and it’s worth remembering, that Polar data is private by default. If you’re military or intelligence and using a fitness app, what the hell are you doing exposing your location data—especially if you’re in a sensitive location?
The report also contains one hell of a buried lede. They tested other apps, namely Strava, Endomondo and Runkeeper, and, well: “Though it’s harder to identify people and find their home addresses than it is through Polar, we were ultimately able to do so using these apps. In contrast to Polar’s app, there is no indication that people whose profiles are set to private can also be identified in these apps. We informed them of our findings last week.” In other words, this is an industry-wide problem, not just a problem with one or two services. [The Verge]
Strava has reportedly disabled certain features in the wake of the privacy and security issues raised last month, with users reporting that they can no longer create workout segments. In a statement given to The Verge, Strava said: “We are reviewing features that were originally designed for athlete motivation and inspiration to ensure they cannot be compromised by people with bad intent.” [Canadian Cycling Magazine]
More on the privacy issues regarding Strava’s global heat map and its customer data. Now Wired UK is reporting that Strava’s data isn’t anonymous. Because you can compare your results with nearby users, all it takes is a local GPS tracklog—which can be created out of whole cloth, as Steve Loughran’s blog post demonstrates—to see detailed information about users. Wired UK:
By uploading an altered GPS file, it’s possible to de-anonymise the company’s data and show exactly who was exercising inside the walls of some of the world’s most top-secret facilities. Once someone makes a data request for a specific geographic location—a nuclear weapons facility, for example—it’s possible to view the names, running speeds, running routes and heart rates of anyone who shared their fitness data within that area.
The leaderboard for an area, the Guardian reports, can be extremely revealing. “The leaderboard for one 600m stretch outside an airbase in Afghanistan, for instance, reveals the full names of more than 50 service members who were stationed there, and the date they ran that stretch. One of the runners set his personal best on 20 January this year, meaning he is almost certainly still stationed there.”
Which makes the security issue regarding military personnel using fitness trackers even worse than simply the anonymous aggregate of the routes they take. Yes, this is very much an unintended and unforseen consequence of relatively innocuous social sharing bumping up against operational and personal security protocols; and it’s as much on military personnel to, you know, not use GPS-enabled devices that upload your location to a third-party server as it is on companies to have clear and effective privacy controls. This is very much the result of a whole lot of people not thinking things through.
Previously: Strava Heat Map Reveals Soldiers’ Locations.