Polar Fitness App is Exposing Military Personnel
A popular fitness app could be exposing military personnel by providing access to exercise habits and locations. Among those exposed are soldiers in Afghanistan or stationed at nuclear weapons sites.
An investigation conducted by Bellingcat has revealed that popular fitness tracking device manufacturer, Polar, exposes the identity and daily activities of its users – which includes military personnel and spies.
The investigation suggests that the Polar Flow fitness website produces a concerning amount of highly sensitive and compromising data than other market products, stating: “Compared to the similar services of Garmin and Strava, Polar publicises more data per user in a more accessible way, with potentially disastrous results.
The investigation also suggests that users of Polar’s apps and devices may not have read the fine print of its privacy settings, as the writer in question found over 6,000 individuals spread across 69 countries. Within this broad array of users, more than 200 left a digital footprint in sensitive locations such as nuclear weapons storage sites, embassies and military bases.
“We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such sensitive sites, and we gathered a list of nearly 6,500 unique users. Together, these users had made over 650,000 exercises, marking the places they work, live, and go on vacation.” the post stated.
Many of us enjoy taking the scenic route on our morning or evening jog, however for many people that same exercise routine happens in active warzones, military bases or other sensitive areas. Bellingcat’s investigation uncovered a number of interesting locations that users of Polar Flow were exercising in.
One user is believed to be an officer stationed at an airbase hosting thermonuclear weapons, others were military personnel in Afghanistan and another at a location that stations drones. In a highly alarming discovery, the latter of these individuals’ accounts contained his name.
Foeke Postma, the writer who conducted the investigation, said that through cross-checking one name and profile picture with social media accounts, the identity of an officer or soldier was revealed.
“Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity. Polar showed his runs in several military bases spread throughout the Middle East, as well as the start and finish of dozens of exercises from a house in New York state.” Postma wrote.
He added: “In early 2017, as the Polar app freely tells us, he made a trip to the west-side of the US and used a bike there. He also logged exercise from a hotel during a stay in Thailand. All this activity was accompanied with a time-stamp, his exact route, his heart-rate, and the amount of calories he burned.”
Bellingcat’s report highlights that the attractive nature of Polar, compared to other similar apps, is the level of detailed analysis it offers. Compared to Strava, Polar offers more comprehensive details in an easier manner. It is this, however, that is potentially exposing its users. Hypothetically, an individual could observe the exercise patterns of a user dating all the way back to 2014.
For active military personnel, Postma said, this poses a significant security risk.
“The security implications are obviously grave. In countries where soldiers were banned from wearing their uniforms on the street on the off-chance that they would run into a potential terrorist, addresses and living patterns can now be found easily by anyone with internet access and the wits to use Polar’s site.”
Polar told the publication it had updated its policy in August 2017 and that accounts now have more secure default settings. It also claimed the platform had blocked users from exploring data while it looks to fix potential security risks.
In January 2018, an investigation conducted by Nathan Ruser of the Australian National University revealed similarly dangerous data exposure on Strava. In response to this the Pentagon issued a statement advising all military personnel to take steps to ensure their privacy settings were not placing them in harms way.
Civilians at Risk
The security risks for civilians are equally as concerning, the investigation found. Extensive analysis of an individual’s exercise habits could enable “those with ill intentions” to use Polar to see when, and for how long a user stays away from their homes. This could potentially act as a valuable tool in the hands of a tech-savvy burglar.
Fitness devices and apps are yet another area in which people need to be adequately informed over what they are sharing with the world, a point Bellingcat was keen to point out in its investigation, stating: “As always, check your app-permissions, try to anonymise your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door.”
Alternatively, it suggests, people could simply leave their devices at home and jog to their hearts content without the risk of being digitally exposed.