Strava’s fitness app usage heatmap accidentally reveals military deployments — and it won’t be the last time good IoT intentions lead to unanticipated problems.
You’ve probably already heard about the latest Internet of Things (IoT) security fiasco — coverage has gone far beyond the tech press into the mainstream TV news. In case you haven’t been paying attention, though, here’s the elevator pitch version:
Fitness network Strava publishes a global heatmap of where users are running and working out using its services, and folks just figured out that the map includes information that could reveal the locations of military forces working out in sensitive and sometimes secret locations. One expert worried that “tracking the timing of movements on bases could provide valuable information on patrol routes or where specific personnel are deployed.”
Unlike other IoT security concerns, Strava’s situation doesn’t involve hacking, spearfishing, compromised security protocols, or anything like that. In fact, Strava’s service is working exactly as it was intended, letting folks see where others are running and exercising around the world. The problem is the data reveals previously unseen patterns that could be used in ways Strava, or the security personnel sharing their workout data, never considered.
The Pentagon is concerned
The problem isn’t trivial. According to CNN, “Defense Secretary James Mattis has been made aware of the issue, and the DoD is reviewing policy regarding smartphones and wearable devices.” A Pentagon spokesman told CNN, “We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”
It doesn’t sound like addressing this particular issue will be that difficult. It’s mostly a matter of telling soldiers in sensitive locations to turn off the sharing functions of the Strava app. But, once again, this situation points to a larger problem with new IoT technology.
Put simply, using smart devices to gather and report previously unavailable data has complex implications that can’t always be figured out in advance. The deeper you look at how IoT devices are being used, the more potential flashpoints crop up.
In this example, while it may be easy to get soldiers to stop sharing Strava data, who knows what other devices, apps, and services they’re using, and what data may be collected. In most cases, that process is all pretty innocent, but that doesn’t mean the data can’t be used in hard-to-predict ways. Lots of things track location these days, and in many cases, location data can tell a remarkably detailed story about what folks may be doing.