This week the military activities of America’s national security forces were exposed by a simple fitness tracking app. The Strava app published global heat maps online, which tracked and displayed the movements of app users working in American military bases. This accidental exposure was noticed by international security student Nathan Ruser[1] who noted that Strava’s maps showed most western cities aglow with the activities of numerous users, but US military bases in the Middle East were easily highlighted due to specific activity in remote areas.
As a result, the US military and US lawmakers are looking into a way to address what is essentially an accidental breach of security[2]. For the time being, the US Army has stated that the heat maps have not revealed anything that wasn’t already known and that no information of great importance was exposed.
The release of the data poses a troubling security issue. With more and more people utilising wearable technology, accidental breaches of privacy and security are inevitable. In this case, where some heat maps reveal the exercise or daily routines of military officers in places like Iraq or Afghanistan, such data can be weaponised in disastrous ways[3]. Military assets can be easily targeted for an attack and ambushes in rough terrain are made possible by tracking the mapped movements of particular officers.
Strava is not the only app that could accidentally cause a security issue. Any app that can access personal data or a GPS location has the potential to expose activities and a specific location to the public. Other apps such as Foursquare, Yelp and a personal Google account will usually ask you to check in to your location if you have your GPS settings on.
One key aspect of this security issue is the limited understanding that users have with regards to their privacy. The public is mainly concerned with the kind of cyber security breaches where their data is hacked or leaked, in particular, data breaches that might steal identities and money. Most people are rarely concerned about the fact that apps and other portable tech are tracking everything they do and everywhere they go. When apps like Strava or Yelp provide easy and simple day-to-day services, we rarely consider the price we pay with regards to our privacy.
Nevertheless, appropriate training, monitoring and policies should be developed and imposed on employees who work in high-security positions. In the case of the military, it is imperative that all military personnel are trained and informed to check the privacy settings on their phones and computers or simply not use it while on deployment. While these kinds of measures might seem drastic – it is perhaps the only sensible to maintain security when working in troublesome or high security areas.
New apps are developed every day that make our lives easier but not necessarily safer with regards to our privacy. The balance between technology giving us almost unlimited access to services and information, and maintaining our privacy and security is hard to maintain. It will only become even more difficult as technology progresses further.
It is important to make thorough assessments of the technology used at work and at home and what their privacy and security parameters are. Learning about and opting out of any location and privacy services might be the first step in keeping your day-to-day habits out of the hands of strangers. Otherwise, security policy development will have to consider offline technology, as well as ‘going dark’ in some instances, if we want to want to ensure the complete security of your home or business.
For further information on mobile device management and the potential risk new applications and other technologies may pose to your organisation, please do not hesitate to contact Agilient.
The Agilient Team
[1] https://www.abc.net.au/news/science/2018-01-29/strava-heat-map-shows-military-bases-and-supply-routes/9369490
[2] https://www.businessinsider.com.au/strava-ceo-responds-heat-map-exposes-secret-us-military-bases-around-the-world-2018-1
[3] https://www.forbes.com/sites/sethporges/2018/01/29/strava-was-just-the-beginning-even-seemingly-innocent-data-can-be-weaponized/#2662f0ec126f