Security Risks of Geolocation and the Internet of Things

At the end of January 2018 a story emerged that the location and layout of military bases was being accidentally disclosed via personal fitness tracking app Strava[1] . The data produced by tracking regular running and cycling routes of thousands of military personnel, as well as many more of civilians, had been geo-located on a “heat map”[2] which whilst it is pretty impressive, lead to the security leak.

This type of resource could be used to augment regular intelligence quite easily. For example we identified a news media article regarding the U.S military setting up a base in Southern Erbil, Iraq[3]. The exact location was not disclosed in the article but by using the Strava Heatmap we identified some possible locations:

Strava Heatmap, Sourthen Erbil, Iraq.

The heatmap is produced from anonymized data and Strava hopes that cities will buy their data set of over 1 billion activities to assist with urban planning[4].

However the data is not quite as anonymous as it should be. Strava allows user to create “segments” to track their activity and allow others to complete for the best time around that route. Below are the segments available for Erbil, Iraq:

Strava Segment Explore, Erbil, Iraq.

And the users who have posted times for route C “Run from Cargo Yard”:

Strava Segment Leaderboard, Route C, Erbil, Iraq.

Using this technique, it is possible to identify who has been active in an area, when they were active, and by either information disclosed on their Strava account or by associated social media such as Facebook, what their occupation or reason for being there was.

While the Strava story has immediate and obvious ramifications for the military it is just one part of a wider trend of sensors entering and tracking our everyday lives.

We now have thermostats which sense when we leave the house and turn the heat down, water bottles that calculate and monitor our water requirements and office lights which switch off if we don’t move around to keep them on. The internet of things (IoT) will only increase the volume of information that is being collected on our personal activities.

The overt intent of these things is well meaning. The business interest in them may involve monetizing anonymized data collected. The security risk is that a hacker could learn personal details of your life and then use that as leverage against you or your company.

You can reduce your risk of falling foul of new tech by taking the time to read the small print of the user agreement, ensuring you disclose only the minimum amount of information and taking the time to consider what impact your activity may have on you are your company should the data fall into the wrong hands.

[1] https://techcrunch.com/2018/01/28/strava-exposes-military-bases/
[2] https://labs.strava.com/heatmap/#11.43/71.60523/32.51640/hot/all
[3] http://www.presstv.com/Detail/2017/09/13/535051/US-troops-Iraq-Kurdistan-Erbil-Peshmerga
[4] https://metro.strava.com/