Earlier this year the fitness app Strava, a widely popular way to track exercise routines and map runs, was forced to change its privacy settings after it was found uploading user maps that compromised national security. It is now Finnish-based fitness company Polar’s turn to address a similar vulnerability, though on a much bigger scale.
The vulnerability was discovered and reported by Dutch news outlet De Correspondent in collaboration the “citizen journalist collective” Bellingcat (via ZDNet). On the surface, the flaw appears similar to Strava’s: the app, using data collected from a GPS tracker embedded in one of the company’s wearable devices, generates a map that details the path travelled by an individual while they are out running or cycling. However, that is where the similarities end.
The joint report details how the Polar Flow app would allow anyone to track all of a particular user’s fitness activities dating back to September 2014. The app allows users to create a public profile, which shares their name and home city and makes maps of their activity visible to other users of the program, with almost no limit on how much data someone can request.
The research team found that, starting with a user’s name and home city, they were able to easily discover their identity through comparison with social media profiles with the same name and city information. After that, it was fairly easy to find their home address, since most people start the app as they walk out the front door to start their run. If they exercise during their work day, this also applies to their office.
Cause for Serious Concern
Initially, the reporters from De Correspondent and Bellingcat found this interesting, but nothing beyond yet another data breach. That changed when they were able to track the runs of individual members of the military at their bases at home and abroad.
For instance, the researchers examined mapped activity at the Erbil International Airport in norther Iraq, where NATO countries have set up a military base to help Kurdish forces battle Islamic State terrorists in the region. Stationed there, they found a Dutch soldier they refer to as “Tom.” Looking at Tom’s fitness data, they determine that “given his rapid heart rate and leisurely pace, Tom’s not the fittest soldier at the Erbil base. Nor is he a spring chicken, we see on his Facebook page.” They found his Facebook page from his Polar Flow user name and city.
Going further, they could easily gather more information through Tom’s posts. “The photos he and his wife share there – with all the world – reveal that Tom’s children are in their early twenties. A few minutes later, we’ve tracked down his home address in a small town in the northern Netherlands.”
The ramifications of this level of data granularity should be stark. Here is a man, who we can determine based on location data is actively fighting terrorists abroad. With a quick search, someone with malicious intent can discover location of his home and family based on social media posts and the start/stop points of mapped runs.
Polar has since disabled its global activity map.