There is no Training - Strava's Heatmap Incident and Aftermath Paints a Bleak Picture

Written by

In 2015, investigative journalist Simon Ostrovsky from Vice News coined a term that should be used more: selfie soldiers. The journalist in question confirmed Russian military activity in Ukraine even though the Motherland denied any action between those borders.

Without leaving his PC, he followed the social profiles of a single soldier and trawled through satellite imagery until he could piece together a very vivid picture of Russian activity in eastern Ukraine. 

At the end of 2017, soldiers accidentally revealed secret US military operations in Crimea, Afghanistan and other sensitive locations simply by jogging and wearing a fitness tracker. Strava, a fitness social network which provides GPS tracking services and shows a visualization of publicly shared activities, posted a heatmap which included the movements of Strava users doing cardio in key areas around the globe where the US military had vested interests.

Strava clarified to Infosecurity that after this it made improvements soon after this to increase the frequency of refresh and to only show "heat" in locations with a certain level of activity.

However a Department of Defense internal memo, obtained by Associated Press, provided the bare minimum of education for military personnel, more than six months after the data breach in question.

“These geolocation capabilities can expose personal information, locations, routines, and numbers of DoD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission,” duly explained the memo, without going in-depth to provide actionable advice and essential cybersecurity education.

All of this begs another question: Why bother about state-sponsored hackers when a true advanced persistent threat (APT in short) is a selfie soldier?

Clearly, the only answer to data breaches of this type is prevention through training and more education programs. It is simply unacceptable that soldiers are unaware of how location-based services like dating apps or fitness trackers can reveal highly sensitive information.

Back in 2016, a team of security researchers explained a model of “colluding-trilateration”: an opaque term that however hides a simple and scary warning: if a person uses a location-based dating app, it’s extremely easy to locate and target them, without even needing to resort to sophisticated hacking techniques. 

“Among personally identifiable information, location is considered as one of the most essential factors since the leak of location information can consequently lead to disclosure of other sensitive private information such as occupations, hobbies, daily routines, and social relationships,” said the aptly-named “Your Neighbors Are My Spies” study from 2016 which examined the security risks posed by dating apps.

With this warning in mind, The Department of Defense memo came with too little and way too late. 

On the cybersecurity front, the government barely started to invest in essential, proactive security tools to prevent ransomware attacks or attempts at data exfiltration. On the human element front, selfie soldiers remain painfully unaware about how their own lax privacy standards can lead to damaging effects on themselves and their country. 

What’s particularly concerning is the fact that the web has a myriad of free cybersecurity courses that can be delivered via mail, so the lack of training for “selfie soldiers” cannot simply be explained by budgetary restrictions. 

Perhaps it’s time for the government to decide to tackle that element proactively by investing in cybersecurity education.

What’s hot on Infosecurity Magazine?