Shadowy Strava Users Spy on Israeli Military With Fake Routes in Bases

Unidentified operatives have been using the fitness tracking app Strava to spy on members of the Israeli military, tracking their movements across secret bases around the country and potentially observing them as they travel the world on official business. From a report: By placing fake running "segments" inside military bases, the operation -- the affiliation of which has not been uncovered -- was able to keep tabs on individuals who were exercising on the bases, even those who have applied the strongest possible account privacy settings. In one example seen by the Guardian, a user running on a top-secret base thought to have links to the Israeli nuclear programme could be tracked across other military bases and to a foreign country.

The surveillance campaign was discovered by the Israeli open-source intelligence outfit FakeReporter. The group's executive director, Achiya Schatz, said: "We contacted the Israeli security forces as soon as we became aware of this security breach. After receiving approval from the security forces to proceed, FakeReporter contacted Strava, and they formed a senior team to address the issue." Strava's tracking tools are designed to allow anyone to define and compete over "segments," short sections of a run or bike ride that may be regularly raced over, like a long uphill climb on a popular cycling route or a single circuit of a park. Users can define a segment after uploading it from the Strava app, but can also upload GPS recordings from other products or services.

Not this again!

[Miles_O'Toole]

Either this is a very old story, or a similar trick was run on US armed forces personnel months ago. I can't recall who the victims were in the initial story, but I'm surprised soldiers are still getting hosed in by having their fitness app monitored.

Re:

[laxguy]

yeah Strava ran into some trouble a few years back for their heatmap revealing potentially secret places - it's simple though, set your activity to private and dont allow it to be uploaded to leaderboards/rankings

https://www.wired.com/story/st... [wired.com]

Re:

[amorsen]

The point of this story is that setting your activity to private doesn't help for this attack.

Re:

[Askmum]

I think the lesson learned is to not trust third-parties to keep your secrets a secret. If I were base commander I would boot out everyone who uploaded their whereabouts to an external server. And I do also remember the report that secret US bases in Afghanistan showed up on the Strava heatmap.

You could have known, you should have known, there is no excuse for using Strava after that, even if they promise secrecy. If you do, it is your own stupidity.

Re:

[laxguy]

if we're going off the information in the article, it does not sound like these users secured their accounts properly.

alternatively, use something other than Strava as they are money hungry greedy fucks.

Re:

[laxguy]

Users can set their profiles to be only visible to “followers”, which prevents prying eyes from tracking their movements across time. But unless they also set each individual run to be actively secured, then their profile picture, first name, and initial will show up on segments they have run, in the spirit of friendly competition.

this is not how you do it.

like i said, you also have to set it to not upload your stats to the segments and leaderboards, which is another checkbox that im sure people are forgetting, plus your activities can be completely private, allowing only you to view them.

Re: Not this again!

[ruddk]

Well itâ(TM)s Strava users. I have heard that term used many times as a pejorative about people on our local trail who gets angry or annoyed because someone else are in front of them and slowed them down for one second.
I am not surprised that they have their head so far up their own ass, that it could happen again.

Re:

[evil_aaronm]

You'd be surprised - shocked, maybe - that some users of $tech can be assholes about using $tech. Now, if we cancel out the "$tech" terms, you'll see the shortened version: "some users can be assholes." Remarkable, no? Further, empirical evidence of dealing with people for more decades than I care to admit bears that out: some people are just assholes, no matter what they're doing. I know - it's mind blowing. So, is it limited to Strava? No. Are all Strava users assholes? No. Does using Strava make

They need to ...

[PPH]

... upload a walking route across the Sea of Galilee.

Re:

[xxdelxx]

Surely that would fall under a religious exemption. Or possibly divine intervention.

Strava user here

[usu4rio]

For once I can comment on some issue about a "social" platform I fanatically use!!

This is really a non-issue. The man himself (aka DCR) has spoken: https://the5krunner.com/2022/0... [the5krunner.com]

At the end of the day, it’s not a security breach when anyone (including military/intel/etc) publish their own whereabouts on a social media network, and then don’t properly set their security settings.
The only way you show up on the leaderboard is if a given activity is set to public. That’s it. It looks like these people set this to public (and Strava’s response wording pretty much confirms that).
The ‘Hide your map completely’ is specifically for a scenario where you set your activity to public, but then want to hide the map (roughly this use-case, but more a case of pretending to be indoors rather than out riding during the work day).
Said again, this isn’t a vulnerability in Strava. This is simply someone not setting an activity to private, and failing OpSec.

Re:

[UnknowingFool]

I see an opportunity for deception for publicly known military bases: "Soldiers, you will put on a Fitbit then do one lap around the base. Then come back here and exchange your Fitbit for another one. Do this five times each."

Re:Strava user here

[Geoffrey.landis]

That directly contradicts the summary and the article [theguardian.com], which states "...able to keep tabs on individuals who were exercising on the bases, even those who have applied the strongest possible account privacy settings."

Is the summary incorrect?

Re:

[ByTor-2112]

The article is incorrect. The strongest possible privacy settings would be to set your all activities to default to private, then they will not appear in any leader boards unless you change them to public. Therefore, the article is wrong. There are also options to hide parts or all of your map. In this case, though, you would want to hide all of the map so that you could not be tracked from base to base.

Anyway, it's yet another article written by someone who probably doesn't use or understand the service. A

Anyway

[Impy the Impiuos Imp]

Hehe, plant "courses" for "fun inside fast walking" over suspected secret routes for The President in the White House, and see if some rube in there tries to top the best time for it, to confirm its existence.

No, NSA, I don't know of such things. I just saw this story and ran with it.

So to speak.

I can be hired to think for you, btw. I would like a government job with pension.

Re:

[evil_aaronm]

In Strava parlance, they're called "segments." And if segments violate Strava's rules, particularly for safety, they can be removed. For example, during the fall, a local stretch of highway was shut down to traffic for short-term construction. I rode my bike the length of it, forward and back because I knew it would be one of the few times I could. After you've ridden a stretch, you can create a segment from the GPS data of it. I thought it would be a hoot to make the highway a segment so I could be th

All soldiers should not use any carriable tech not

[gurps_npc]

... issued by their military.

Not because of this particular exploit, but instead on principle. It's not just knowing their location, it's knowing that they turned off their location.

It's the modern equivalent of not letting soldier's mail mention their location.

Give them approved tech with preinstalled examples of the commonly requested tech (i.e. a game or three, fitness tracker, military email, a view only app for free services like youtube that cannot send data back - I want that for myself).

That is the RIGHT way to do this. But lazy people will do it wrong, despite security concerns.

I guarantee you that Discord and Tik Tok (both owned by China) are not safe for military to even have installed on their devices.

Re:

[ByTor-2112]

Even their personal phone? It's not just fitness trackers. These activities are also likely recorded on phones.

And Strava isn't the only service that does this. Garmin Connect has the same features as well, but it's much less popular and may be going unnoticed.

Re:

[bungo]

Depending on the security classification of the area of a base, no phones or any electronic device that has not been cleared are allowed. Phones and devices provided for work are allowed some areas. In the higher security areas, strictly no electronic devices are allowed.

In public areas (shopping, bowling, cinemas), devices are allowed. For bigger bases with schools on site, and with a lot of non-staff civilians, it would be impossible to control electronic devices anyway.

Anything connected online can spy on you

[Required Snark]

Get used to it.

In any conflict between profit and privacy there will be no privacy.

In any actually secure location

[TheMiddleRoad]

The soldier will be leaving their phone and smartwatch and Fitbit and so on at home or in some kind of security container, not walking around with them. Basic fucking opsec.

Stay vigilant wherever you are

[Jamst]

In fact, no matter which country is controlled by the United States. America's spy satellites, the internet, domain name servers, root servers, intelligence agencies, spy satellites, and yes, internet companies. Certainly the strongest navy in the world. So if just monitoring. Take it easy, some fun stuff might be useful while being watched, like this signal jammer [jammers.store]. Stay vigilant wherever you are. Personal data reigns supreme.