Strava Vulnerability Reveals Israeli Security Staff Run Locations
A vulnerability in STRAVA security has been used by researchers at FakeReporter.net to obtain the details of approximately 100 Israeli Security Staff at the Palmahin Air Force Base & Space Port, Moshav Ora Intelligence base and at 4 other locations in Israel.
Source: https://twitter.com/FakeReporter
Readers might remember a similar story in 2018 that allowed the discovery of ‘secret’ US military bases in Syria using Strava’s heatmaps.
How Strava Works
Smartphones and sport watches record the GPS route of Strava users’ workouts and the finished workouts are uploaded to the Strava cloud. Strava presents insights back to its users on their app but also shows users their performance compared to others over defined paths they call segments which could be anything longer than a few tens of metres. Each segment has a leaderboard with the leaders shown by name, age and sex. It is sometimes possible to click on the leaderboard to find out more about the leaders and their sporting activities.
How Did It Happen This Time?
The breach looks to be a combination of deliberately fake workouts and security settings that confused Israeli military personnel.
Firstly it seems that researcher Ez Shehl created some fake yet realistic workouts at various military bases without ever going there and then uploaded them to Strava.
Reality Check: This *IS* plausible. I think if I had a couple of hours I could probably do that if I knew the location of the base. I would create a GPX route using one of many tools (eg Strava!) and then reverse-engineer real run data from another workout onto those GPS points.
Secondly, any Strava segment that was used in the ‘run’ will have a leaderboard. It seems that this is where Strava have a problem as some Strava users appear on those leaderboards even if their accounts are set to private.
Reality Check: I don’t think this part of the story is correct. It’s more likely that security personnel did not properly secure their accounts…admittedly Strava could have made it more obvious how to do this. As an example, take a look at my Strava privacy settings in the image below. There are several places where certain aspects of activities might be publically seen. I thought my account was totally hidden however as you can see below I hadn’t changed the last slider control “hide your activity maps from others completely”. Mistakes are easily made. There appears to be no single ‘kill switch’ that fully privatises the account.
Then again Strava claims to have already fixed whatever issue there was. So I am only seeing the same, fixed version of the security settings as you.
What Information Was Compromised
The researchers responsibly went through the proper channels and none of the details that were discovered about military personnel have been made public.
It seems that it was possible to ascertain the name, user photos and locations of some of the run locations of military personnel.
When asked for comment, Strava said “We take matters of privacy very seriously and have addressed the reported issues.” (via the Haaretz newspaper)
Take Out
The heatmap breach from 5 years ago always seemed like a bit of a storm in a teacup to me. Nothing too personal was really revealed other than the location of large military bases that could be seen on Google Maps in any case plus sections in the bases where soldiers frequently ran.
This time it’s more important as individual names and photos were obtained.
Read More About Strava- here
new STRAVA Local Legends – Segments, Jim, but not as we know them
Sports Apps 2020 Report & Table – Winners & Losers of 2019 – Best Sports App
Strava Running Power – All The Details – All major watch brands now support it (after a fashion)
Suunto adds Plotaroute support for Advanced Route Creation & Easy Syncing
STRAVA Stats Show Surprising US vs UK Differences: starting with…America is Bigger
STRAVA Stats Show Surprising US vs UK Differences: starting with…America is Bigger
Reader-Powered Content
This content is not sponsored. It’s mostly me behind the labour of love which is this site and I appreciate everyone who follows, subscribes or Buys Me A Coffee ❤️ Alternatively please buy the reviewed product from my partners. Thank you! FTC: Affiliate Disclosure: Links pay commission. As an Amazon Associate, I earn from qualifying purchases.
At the end of the day, it’s not a security breach when anyone (including military/intel/etc) publish their own whereabouts on a social media network, and then don’t properly set their security settings.
The only way you show up on the leaderboard is if a given activity is set to public. That’s it. It looks like these people set this to public (and Strava’s response wording pretty much confirms that).
The ‘Hide your map completely’ is specifically for a scenario where you set your activity to public, but then want to hide the map (roughly this use-case, but more a case of pretending to be indoors rather than out riding during the work day).
Said again, this isn’t a vulnerability in Strava. This is simply someone not setting an activity to private, and failing OpSec.
yes
“The breach looks to be a combination of deliberately fake workouts and security settings that confused Israeli military personnel.”
always helpful to read the full reporting before – particular the part of private activity showing up on a fabricated segment lists – otherwise you end up in typical DCR nonsense fashion “I send it back and buy my own Garmin gear BS….”
it’s simple, if your Strava profile is showing up on leaderboards even if your account is set to privat that is a security breach and opposite of what Strava is claiming on privacy. period .
*IF* ….