man running

Reporters Were Able To Track Military Personnel Through Fitness App

polar fitness trackerOver the weekend, two media outlets (De Correspondent and Bellingcat) reported that they were able to uncover the names of more than 6,400 military and intelligence personnel.  How did they do this exactly?  Well, it wasn’t rocket science.  In fact, all they had to do was look up their fitness activities in the Polar app.  To clarify, these reporters didn’t do anything wrong or illegal.  In fact, all they did was accessed the company’s Flow app and they were able to find the routes that they take when they’re working out.  Flow is used by Polar in order to track the fitness activities of their users.  We talk a lot about cyber security on this blog, but at what point is it not hacking?Literally, all they had to do was look up the Explore map, that’s found within the app, in order to find people working out near locations like the White House, the NSA, London’s MI6.  But what might be worse than all of that is that they were able to find 48 nuclear weapon storage facilities.  Seriously?  To me this is insane.  From there, they were able to find out the names of some of the users – including those who had chosen to keep their data private.  There are so many unanswered questions with this one – how did this happen in the first place?  Why are military and intelligence agencies allowing their people to use this software?polar fitness mapPolar’s app is so insecure, the reporters were also able to find out the start and end points for the workout routines, which meant, they were able to determine some users’ home addresses.  That’s not to say that Polar is the only company that does this.  Strava, Runkeeper, and Endomondo do this as well.  But Polar is the only one who’s map was able to let these reporters see every fitness routine ever recorded dating back to 2014.  So is this a security breach?  Or is this just a poorly designed app?  An app that just happens to be used by people who probably want to keep their locations a secret.Since this was uncovered, the activity map was removed.  As soon as it was discovered, De Correspondent said that it informed the Dutch Ministry of Defense.  Other foreign ministries and intelligence agencies have been alerted to this as well.  I guess I’d like to understand how something like this happens in the first place?  Let’s say the intelligence agency supports using this particular app for one reason or another.  Do they not check up on the security of the app?  Do they not have extra security measures in place so that something like this doesn’t happen?  I guess I’m surprised that so many agencies allowed this to happen in the first place.polar fitness mapThat’s not to say that Polar doesn’t play a role in this.  But it’s a buyer beware type situation these days.  Especially when it comes to where your data is going.  Of course, this will lead to stricter guidelines for personnel at these facilities.  Maybe they will no longer be able to use these particular devices for tracking their fitness.  This kind of thing is only going to get worse – in that, more and more of these breaches will be uncovered – before it gets better.  It’s hard to determine who should be blamed with this one as it’s a chicken vs. the egg type situation.  Regardless, everyone needs to be more vigilant about where their data is and know who can see it.