The fitness app Strava was used to identify almost 100 Israeli soldiers and agents.
Fitness apps are more popular than ever. How else can you document and share with the world that you diligently exercise every day? One of the most popular apps is Strava, which can be used to track bike rides and running training, among other things.
It has long been known that fitness apps can also pose a data protection risk. Strava revealed the locations of secret US bases in Syria and Iraq in 2018. That’s why Strava also offers the option to keep your own workouts private so others can’t follow them.
However, another feature called “Segment” offered a loophole, as the Israeli daily Haaretz reports, citing the “Fake Reporter” investigative group.
Fictitious training sessions were gateways
With “Segment” you can see which other Strava* users are riding the same route and compare times. The function is intended, for example, to be motivated by the achievements of others during the morning run through the city park.
A Strava user with the name “Ez Shl” and his supposed place of residence in Boston has now apparently uploaded fictitious running training sessions to the app. The fake training took place in known Israeli military and secret service locations, and thanks to the “Segment” feature, “Ez Shl” could now see who was training there and touch names and profile pictures, for example.
Given that these are cordoned off areas to which civilians do not have access, it could be deduced that they are members of the security authorities. “Fake Reporter” estimates that the identities of almost 100 people could be revealed.
Little technical knowledge required
The trick was easy. GPS data on smartphones is easy to fake, allowing you to simulate a workout anywhere in the world. Furthermore, the plausibility of the data transmitted to Strava was not even checked, with some training sessions the user was “walking” at 100 km/h. The fictitious training took place at two air force bases, two military intelligence service bases and at the Mossad foreign intelligence service headquarters.
Strava said that Haaretz blocked the user and took further action. For its part, the Israeli army now wants to introduce “special procedures” for personnel working in sensitive areas.