By placing falsely executed “divisions” inside military bases, the operation – the association of which has not been disclosed – was able to track people who practiced at the bases, even those who had enforced the strongest possible account privacy arrangements. In an example seen by the Guardian, a user running on a top-secret base believed to have links to Israel’s nuclear program could be tracked at other military bases and in a foreign country. The surveillance campaign was discovered by the Israeli open source intelligence service FakeReporter. The group’s executive director, Achiya Schatz, said: “We contacted the Israeli security forces as soon as we realized this security breach. “After receiving approval from the security forces to proceed, FakeReporter contacted Strava and they formed a senior team to deal with the issue.” Strava tracking tools are designed to allow anyone to define and compete in “sections”, short running or cycling sections that can be performed regularly, such as a long uphill on a popular bike path or a track in a park . Users can select a section after uploading it from the Strava app, but they can also upload GPS recordings from other products or services. However, Strava has no way of tracking whether these GPS downloads are legal and allows anyone to set a track by downloading – even if they may not have gone to the track they are tracking. In fact, some transhipments are created artificially, at average speeds of hundreds of kilometers per hour, unnaturally straight lines and momentary vertical jumps on rock tops. Some of these fake downloads may have been used for cheating in friendly contests or to create a section to guide others: but at least one set seems to have a more malicious intent. An anonymous user, listed as “Boston, Massachusetts”, had set up a number of counterfeit units at a number of military institutions in Israel, including the country’s intelligence outposts and high-security bases believed to be linked to its nuclear program. program. “By exploiting the ability to send mechanical files, revealing user data anywhere in the world, hostile data has taken a worrying step closer to exploiting a popular application to harm the security of citizens and countries,” Schatz said. The fake section approach also bypasses some of Strava’s privacy settings. Users can set their profiles to be visible only to “followers”, which prevents prying eyes from tracking their movements over time. However, unless they also specify each individual run to be actively secure, then their profile picture, name and initials will be displayed in the sections they have run, in the spirit of friendly competition. With several sections scattered on the map, individuals can still be identified: a user, for example, watched his participation in a publicly reported race, which he won, as well as ran to safe military institutions. In a statement, the fitness company said: “We take privacy issues very seriously and have been informed by an Israeli group, FakeReporter, of a section issue regarding a specific user account and we have taken the necessary steps to rectify this situation. Subscribe to the First Edition, our free daily newsletter – every morning at 7 p.m. BST. “We provide easily accessible information on how to share information on Strava and give each athlete the opportunity to make their own privacy choices. “For more information on all of our privacy checks, visit our privacy center as we encourage all athletes to take the time to ensure that their Strava selections represent their desired experience.” The discovery has the echo of a scandal since 2018, when a new Strava feature posted an overview of all the activities on the fitness monitoring platform around the world. The heat map showed popular running, cycling, and swimming routes, and a statement from Strava said it could be used to locate locations such as the Ironman Triathlon route in Hawaii. But it also defined routes that were less public: the location and layout of multiple military bases in Helmand Province, Afghanistan, were clearly visible, as was a popular outdoor swimming spot next to RAF Mount Pleasant in the Falkland Islands. The map even recorded the route of a lone cyclist in Nevada Area 51. Strava’s response to the uproar was to advise military users to opt out of its visualization, arguing that the information was made public by users who uploaded it. In the wake of the latest privacy vulnerability, some users have been tracked down with disturbing detail: a US Air Force member could be tracked from a tour of Djibouti, where he ran the 7-kilometer runway loop, to an air base in Germany where he was transported. in 2016.
