A heatmap of two years' worth of fitness tracker Strava's global data, released last November but discovered more recently by an Australian student, inadvertently revealed the location of US military facilities in war zones.
Although the data collected – more than 3 trillion coordinates from more than 27 million users of fitness trackers like Fitbit and Jawbone – by the GPS tracking firm was anonymised, it ultimately revealed not only sensitive troop locations but routes walked along the Mexican border by US border patrols. The military is reassessing how fitness trackers are used.
“The rapid development of new and innovative information technologies enhances the quality of our lives, but also poses potential challenges to operational security and force protection,” the Central Command press office in Kuwait said in a statement to the Washington Post. “The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities.”
Tom Bonner, senior manager of threat research, EMEA, at Cylance, said the "incident serves to highlight a distinct lack of operational security employed by various government organisations around the world.”
Saying the breach matters “only because these personal Internet of Things... devices collected data that was generally ignored by IT and the organisations as a whole,” Imperva CTO Terry Ray pointed out that “the privacy issues around this breach wouldn't likely have been considered when thinking about such devices.”
Many secret locations “ban the use of mobile phones when on premise, which is common for military, intelligence and other government private sites,” since they can “collect and transmit data outside of the environment,” said Ray. However, the fitness tracker devices “do the same thing, albeit on a much smaller scale.”
Bonner called for “access to personal communication devices with geolocation services [to] be banned in sensitive/restricted locations, and broader assessments and awareness training undertaken by employers to understand and mitigate the potential risk posed by these types of services."
Pointing to “some bizarre arguments on this in the past with people asking why we should care about hacking devices for location, arguing what could actually be done with the information,” Oliver Pinson-Roxburgh, EMEA director at Alert Logic, said “the military issues associated with this are alarming, and the military should be regularly testing these issues much like businesses should.” He, too, called for a ban. “There should really be no personal equipment or devices allowed during military operations, and military issued devices should be put through much more rigorous testing to look for different types of threats and risks to that of a commercial product," said Pinson-Roxburgh.