Strava allowed us to «run» along with military personnel on foreign deployment.

In November, Strava published an updated heatmap showing training activity around the world. Several people and media institutions have revealed military bases around the world using the heatmap.

When we first heard about this, we figured the map might be able to reveal even more sensitive information: What if we could find the identity of the soldiers as well?

We had an idea that some of the features built into Strava might let us brute force that information.

Strava Flyby

Our editor is an avid user of Strava, and told us about a feature called Flyby.

In simple terms, Flyby lets you see other users who had been training in the same area at the same time.

We quickly realized this might be possible to exploit: What if we create fake GPS routes in areas where we know NATO soldiers have been on missions?

Fake running

By using the heatmap, we found active rural sites in Syria, Iraq and Afghanistan where we assumed the local population weren’t active Strava users.

First, we talked about setting up a GPS spoofing device inside of a Faraday cage, and thereby tricking Strava into thinking our device was actually at the relevant spots in Syria, Iraq and Afghanistan. We ditched this plan pretty quickly because the maximum spoofing time our device supported was five minutes, which is a bit too short for reliably being able to find other joggers.

Instead, we took the relevant areas into a GPS editing tool, and created a fake running track corresponding to the heated areas from Strava’s heatmap.

After generating the tracks, we exported them to GPX files. The GPX files were put through a Python script which created hundreds of different versions of the file, varying in date, time and running speed. We also added a bit of randomness in how the track was generated on each iteration.

We made some simple assumptions, like the fact that most people don’t go out jogging mid-day in areas where the temperature easily reaches 40 Celcius. Most of our fake trips occurred during dusk or dawn.

We ended up at just below 1000 fake trips, which we batch uploaded to our Strava account.

After the trips were uploaded, we manually went through each of the routes in Strava Flyby to check for other users in the same area. This was the boring and time consuming part of the process.

But it proved effective:

Within a couple of hours, we were able to map the identity of 18 people from Norway, Denmark, USA, France, Netherland, Italy and England.

This is not a critique of Strava’s security: For it’s actual purpose, Flyby has real value. The problem is human: Understanding the implications of recording and broadcasting location data, when your current situation might make it a matter of life and death.

Read the news story here.