Sunday, 17 February 2019
Latest news
Main » Polar's fitness app exposed its users' sensitive location details

Polar's fitness app exposed its users' sensitive location details

09 July 2018

The vulnerability that allowed virtually anyone to identify individuals working at top-secret locations, such as military bases overseas, by sifting through exercise regimens of people in that area, has been jointly reported by Bellingcat and the Netherlands' De Correspondent.

Open source and social investigative site Bellingcat and Dutch news publication De Correspondent were able to access exercise data shared by users of Polar's Flow social platform, and glean large amounts of location information from it.

An app from Finnish fitness monitoring company Polar can be used to determine where military personnel and embassy staffers live and work, as well as the location of defence bases.

This included the location details of soldiers and secret agents.

However, with enough digging, Polar's tracking info also exposes its users' names and home addresses.

Polar has since suspended its "explore" map and stated there was no data breach, as the data obtained was from public and not private profiles.

Hammers sign Wilshere on free transfer
Issa Diop looks set to lose his status as West Ham United's record signing after less than a month. Wilshere is a West Ham fan and is keen to get his career back on track.

The investigation zeroed in on two hundred sensitive locations and, using site scraping techniques, found 6,460 individuals across 69 nationalities. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map.

"We are analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing Global Positioning System files of sensitive locations", Polar said in the statement.

While the app has been most popular in the West, investigators claimed they managed to unearth the identities and home addresses of the Russian military in Crimea.

Among them are United States troops in Iraq, Syria, Guantanamo Bay, those deployed to the demilitarized zone separating the two Koreas, staffers at the Federal Bureau of Investigation and NSA, military intelligence and cyber security specialists and many others stationed at bases in Africa, South Asia and the Middle East.

"Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case", it said.

And as this comment, and a further Polar statement, suggests, this is a little different to the Strava episode, in which data wasn't automatically set to private.

Polar's fitness app exposed its users' sensitive location details