20 year old Australian exposes security flaw with US troops and fitness aps

« Previous story
Next story »
20 year old Australian exposes security flaw with US troops and fitness aps

I’ve been following this for about 2 weeks now, and shockingly the best article about it so far comes from Vox.  Now, under normal circumstance I wouldn’t link to such a partisan news source, but on this issue, they really are all over it, and did a phenomenal job:

Most of the 22 million people who reportedly use Fitbits or other fitness trackers probably aren’t thinking about what their daily jog or morning walk to work might mean for international security. But a recent, startling revelation about what people’s fitness stats are revealing to the world is poised to change that — and maybe even to permanently alter our relationship to data privacy.

Over the weekend, news broke that a fitness-centered social media app called Strava had quietly, inadvertently divulged the locations of secret military bases around the world via its recently updated global “heat map.” Anyone wearing a fitness tracker like Fitbit with the Strava app installed can make their location data public through the app, which allows it to be included in the company’s global heat map.

As it turns out, when you put enough soldiers in one place and they exercise in the same locations every day, their collective composite heat map can reveal things over time that no one was expecting.

More on what this guy found:

Nathan Ruser, an analyst with the Institute for United Conflict Analysts, first noted the lapse. The heatmap “looks very pretty” he wrote, but is “not amazing for Op-Sec” – short for operational security. “US Bases are clearly identifiable and mappable.”

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” Ruser added, highlighting one particular track that “looks like it logs a regular jogging route.”

“In Syria, known coalition (ie US) bases light up the night,” writes analyst Tobias Schneider. “Some light markers over known Russian positions, no notable colouring for Iranian bases … A lot of people are going to have to sit through lectures come Monday morning.”

Just how bad was this, and how much Intel could one get?  Well, look at this tweet from Tobias Schneider which points out bases around Mosul that presumably we wouldn’t want to give 8 digit grid coordinates to the bad guys for:

There’s no good way to sugarcoat this one, this is a terrible OPSEC flaw that could really damage us.  I guess we should be grateful it was an Aussie who found it and let us know, rather than ISIS getting it.  But my first reaction was the knowledge that the flaw would be fixed quickly by the military……and a surety that somehow the Pentagon would go a bit over the top at first.  Or maybe it wouldn’t be the Pentagon, but anyone who has served has seen it...  CO says be there at 8, 1SG says no later than  7:30, platoon leaders say 7…and before you know it your team leader has set first call up at 0600 and the building won’t even be opened yet.  And it looks like I may have been prescient:

Defense Secretary Jim Mattis is considering banning all cell phones and personal electronic devices such as FitBits from the Pentagon, defense officials confirmed Wednesday.

Mattis has directed the Undersecretary of Defense for Intelligence Joseph D. Kernan and the Pentagon’s chief information officer to review current security policies concerning the devices.

Cell phone use at the Pentagon will be part of the larger review to look at the vulnerabilities created by wearable technologies. Even if they are not hacked, the devices can transmit location and other personal data if a user has not selected appropriate security settings.

Now, again, banning cell phones at the Pentagon has nothing really to do with FitBits on small FOBs overseas, so I think this is more them looking at security issues, and the timing is bad.  Mattis gets this, so I’m thinking someone just went off script.  Pretty sure you know where foot traffic is at the Pentagon without a heat map from Fitness Aps.  What concerns me is that they will end up taking this to the extent they do formations, and by the time it gets to a team level deployed to Hemand province this would become some thing where no one is allowed any device invented since the abacus. 

Posted in the burner | 0 comments
« Previous story
Next story »


* To comment without a Facebook account, please scroll to the bottom.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Have a tip for us? A link that should appear here? Contact us.
News from the World of Military and Veterans Issues. Iraq and A-Stan in parenthesis reflects that the author is currently deployed to that theater.