Strava was used to locate the most powerful people

(theguardian.com)

92 points | by kawera a day ago ago

81 comments

  • abetusk a day ago

    Strava is a fitness app. So, apprently, the security detachment of political figures tends to use the app, presumably because they're into fitness and keep in shape, and their location can be tracked through the app.

    As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.

    The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.

    Crazy stuff.

    • kkielhofner a day ago

      Shouldn't be much of a surprise, this made news back in 2018 when the same was realized with soldiers and secret military bases:

      https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

    • loeg 7 hours ago

      More specifically, it's a social network for sharing workout data. Sharing data is like, first and foremost what it's about. It has the same privacy controls you'd expect of social networks (public/friends/private both globally and per post/activity) as well as some that are special to a location-sharing app (hidden addresses).

      This was either a gap in social media policy set for the guards, or a violation of that policy on the part of the guards.

    • netsharc a day ago

      Yeah, the targetting isn't that difficult, I guess. If you know crown prince Akeem Joffer was in New York 5 days ago, and is in Paris 3 days ago, you can probably diligently query Strava users who weren't in New York for a long time but showed up 5 days ago, and see if they showed up in Paris 3 days ago, and boom, you've found a member of his entourage.

      Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.

  • mandevil a day ago

    Cell phone tracking is better at surveillance than the best stuff the military has.

    https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.

    And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.

    • thebruce87m 3 hours ago

      For anyone else struggling to understand this initially, they were able to tell the flight path of the attack helicopter as it evaded detection by looking at the historic path of a phone of a person that was on the helicopter.

      It wasn’t a helicopter spoofing itself as a phone or something crazy like that.

    • jklinger410 a day ago

      Cell phone tracking _is_ what the military has.

      Seeing through walls with WiFi is better. Or slurping up the main pipes and decrypting it. Which they also have.

    • wildzzz a day ago

      An old coworker used to work on what is basically a Stingray for air platforms with some sort of directional finding capability. Presumably, you'd strap it to a drone and fly it over villages where you suspect bad guys are. Do this every few days and in multiple locations and you'd establish patterns of movements and links between networks of people.

      • giraffe_lady a day ago

        Or where journalists or doctors are. The technology is neutral, after all.

        • computerthings a day ago

          All to often "bad guys" are just a fig leaf for the absolute worst guys.

          “Now the police dreams that one look at the gigantic map on the office wall should suffice at any given moment to establish who is related to whom and in what degree of intimacy; and, theoretically, this dream is not unrealizable although its technical execution is bound to be somewhat difficult. If this map really did exist, not even memory would stand in the way of the totalitarian claim to domination; such a map might make it possible to obliterate people without any traces, as if they had never existed at all.”

          - Hannah Arendt

    • taeric a day ago

      Probably not better than the best stuff the military has... Still really good, mind.

      And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.

      • FactKnower69 a day ago

        >Probably not better than the best stuff the military has...

        Military tech is always a decade ahead of civilian, that's why the US has easily won every armed conflict they've entered into in the past 50 years

        • JohnMakin a day ago

          I know for a fact that swaths of critical military infrastructure sit in AWS, so I personally doubt this is true.

        • chatmasta a day ago

          I’m not sure this has been true since the advent of the internet. I don’t believe there’s an entire shadow sphere of academia that is decades ahead of what’s openly published.

          For nuclear energy, this might be true. But for nearly any other topic I’m very skeptical.

        • talldayo 3 hours ago

          People don't like hearing this, but military tech and civilian tech move more-or-less in lockstep. We see this in Ukraine, where both sides are using Consumer-off-the-shelf drones for violent means with minimal modification. You could argue that Ukraine's defense is an even more novel form of warfare than what the United States is comfortable dealing with.

          When two armies fight each other, what determines who gets power-gapped is the way each military operationalizes new technology. The United States defense sector does an excellent job of staying on top of new advancements, but when you examine the Cold War and WWII, most of America's tech is civilian-grade but implemented with world-class logistics and command/control.

        • paganel a day ago

          > has easily won every armed conflict they've entered into in the past 50 years

          That's just false. Ok, maybe you don't count Vietnam, because the US "entered" there in the '60s, but Afghanistan was a sure loss and I'd say the same for Iraq (seeing how it's now in Iran's sphere of influence, which it wasn't under Saddam). Yes, they might have won some tactical battles, most probably all of them, come to think of it, but the wars themselves were lost.

          • a day ago
            [deleted]
          • magicalhippo a day ago

            > That's just false.

            Read like sarcasm to me.

            • paganel 17 hours ago

              I think you’re right, sorry for having missed it in that case.

        • beAbU a day ago

          Have they though?

  • cj a day ago

    Related:

    Strava heatmap can be used to locate military bases - https://news.ycombinator.com/item?id=16249955 - Jan 2018 (271 comments)

    Turns out soldiers enjoy tracking their runs around the base!

  • OgsyedIE a day ago

    The simplest solution to this is bureaucratic. Establish an app approval cybersecurity office within some agency and have the office make two lists: apps that have specific security configurations that need to be enabled and apps that are outright banned.

    Then you just make compliance with the lists necessary for certain security clearances.

    • Muromec a day ago

      Nononon, you make one list:

      - apps that are allowed to be installed, pinned by version with a person responsible for monitoring them

  • r00fus a day ago

    This is why I only use Strava to share with my followers.

    Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.

    Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.

    • marcellus23 a day ago

      You can set your activities to be private by default, you don't need to change it for every activity individually after you upload it.

      • r00fus a day ago

        Yes, mine are. I explicitly share some activities.

    • soco a day ago

      It's not clear to me whether the location was made using the public, as in shared, information, or information set as private. So did they masquerade as followers, or hacked the system?

    • zardo a day ago

      > This is why I only use Strava to share with my followers.

      You travel with one of the most powerful people in the world?

    • loeg a day ago

      You're a bodyguard for a head of state? Probably no one cares about your location.

      • r00fus 7 hours ago

        This kind of attitude is why we get such bad IoT security.

        Everyone deserves privacy - just like with Facebook, a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.

        • loeg 7 hours ago

          You claimed that "this" is why you choose a private mode on Strava. But this attack is irrelevant to you. I totally believe you want privacy -- and that's fine -- and Strava provides you a mode that suits your desires.

          I'm taking issue with your statement that locating powerful people is somehow a threat model that is relevant to you. It isn't.

          > a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.

          Everyone using Strava who thinks this is relevant to their threat model is free to use the hidden address privacy feature, or the myriad other privacy features.

          At the end of the day, Strava is an app for sharing your data. You have a lot of options for how much you want to share or limit that sharing. If you don't want to share anything ever, it probably isn't for you.

    • tonymet a day ago

      I wouldn’t trust their security restrictions. Their API and authentication is primitive. For a while I ran a basic bot to automate data extraction. Their security is 20+ years behind other social networks .

      You likely have bot followers and API calls that can read your latest activity GPX data

      • loeg a day ago

        Facebook is barely 20 years old. No active social network is "20+ years" advanced of any other, because it's longer than their entire history.

        • itishappy 21 hours ago

          IRC: 36 years old

          Usenet: 44 years old

          • loeg 7 hours ago

            US: 248 years old

            What use irrelevant factoids.

            • itishappy 6 hours ago

              Is the US a social network?

        • tonymet a day ago

          What takes one person a year takes another person 5

  • TrevorJ a day ago

    Not sure if the format for this article is standard these days, but oh man do I hate it.

    • davidsawyer a day ago

      Reads like a remix of how Axios articles are.

  • netsharc a day ago

    In video form (the Guardian article talks about a Le Monde investigation):

    - Pt 1: https://www.youtube.com/watch?v=4eQKnV0zsMc

    - Pt 2: https://www.youtube.com/watch?v=KX7f1PwXEWg

    • homarp a day ago
      • netsharc a day ago

        Zelensky has suddenly perked up...

        The 2nd video focuses on the US Secret Service, finding 26 profiles of Biden's protection (and 100+ users who were geolocated inside the S.S. training facility). During the credits of that video, a journalist says, "Despite our warning about this issue to the US authorities, 14 of the 26 profiles are still public."

  • slibhb a day ago

    Was there a breach with Strava or did people simply choose to publish their location publicly?

  • mikeryan a day ago

    Along these lines some cyclists have had their gear stolen by thieves who figured out where they live from Strava data.

    They have a feature to block part of your route when near your home but some folks aren’t aware of it (or learn the hard way)

    • xarope 21 hours ago

      Isn't it only a few 100 yards worth? So thieves can still camp out in a 1 square mile area to find that nice carbon fiber bike at 5am in the morning?

      • loeg 7 hours ago

        You can select a radius of 1/8 to 1 mile.

    • mariusor 16 hours ago

      Frankly the blocking is a radius around the start and stop points. If they are both at your doorstep, all your rides will extrapolate to points on a circle with a center very easy to determine. The feature as it is, is snake oil for someone determined enough. I started to start and stop my rides some distance out, just to add some variation.

      • loeg 7 hours ago

        The hidden address feature picks a random centroid near your hidden address, not exactly on it. Averaging out the circle finds that random centroid, not your hidden address.

    • nickff a day ago

      That feature is fairly recent, and I believe it is now enabled by default.

      • hondo77 a day ago

        If by "is fairly recent" you mean "has been around for over six years", yes.

  • aynyc a day ago

    Strava deserves all the blames it get, but don't you need some serious skills to find out who are the agents guarding Biden/Harris/Trump? I mean, if you can literally track down the names of Secret Service agents guarding VIPs, then you can probably easily track them with other means (phone for example) no?

    Speaking out of most likely ignorance of Secret Service, I was in the US Marines. I dealt with marine snipers a few times during training exercises, we were mainly serve as security protections. I've seen them train, shoot and handle combat scenarios. If any of those marine snipers want to take shot at a VIP, I can't imagine Secret Service will be able to do anything to stop it. Some of the snipers are putting rounds into a postal stamp at 1,000 yard / 900 meters.

    • loeg a day ago

      > Strava deserves all the blames it get

      Not sure why Strava deserves any blame here. It's explicitly a social network for sharing your location and other training data. If you use it and share your location, that's it functioning exactly as designed.

      • MR_Bulldops a day ago

        Strava has (rightfully) received no blame, so they were accidentally right!

        • loeg a day ago

          It's pretty clear that at least some users in this thread blame Strava for some things.

  • sam_lowry_ a day ago

    The problem with Strava is how invasive their location sharing is.

    One has to actively search to disable it. And the integrations with Garmin Connect and the others are even worse.

    • notatoad a day ago

      it's not "invasive", it's a location sharing app.

      if you don't want to share your location, you probably should not use location-sharing apps.

      • RobRivera a day ago

        A fitness app that features location-sharing features.

        When I think of location sharing apps, I think of garmin inreachme for search amd rescue.

  • wslh 21 hours ago

    Other sources: Haaretz Investigation: Intelligence Operation Collected Information on Sensitive Israeli Bases, Soldiers <https://www.haaretz.com/israel-news/security-aviation/2024-1...> <https://archive.is/2024.10.29-113518/https://www.haaretz.com...>

  • TheRealPomax a day ago

    I guess strava users didn't learn from the first time.

  • tonymet a day ago

    Strava has suffered from this and had known attacks for 10+ years now. There was a famous case around Colorado of a mistaken doxxing attack driven by Reddit. Due to mistaken identity, attackers pursued an innocent victim using their Strava account. The Strava location was the cause of both the mistaken identity case and abused to find and dox the victim.

    Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.

    The company has never adequately responded to privacy concerns despite many abuse cases.

    • loeg a day ago

      > Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.

      That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.

      • mariusor 16 hours ago

        That's something I didn't know, but even like that, it narrows down the area.

        • loeg 7 hours ago

          Sure, but it's pretty obvious that exposing most of your activity except for the start and end location will do that. Strava allows you to choose the hidden radius from a range of values between 1/8 mile and a full mile. That's a pretty wide area. (And you can always make specific activities or your entire account private.)

          Anyway, I think true claims make for much more interesting criticism than false claims.

    • paganel a day ago

      People should just stop using Strava, or at least stop making their Strava data public to the world (not sure if that's an option cause I've never used that app). They should just run/cycle, whatever, forget about gps.

      • loeg a day ago

        > not sure if that's an option cause I've never used that app

        You can make your account private, or individual activities private (including by default).

      • tonymet 7 hours ago

        Strava doesn’t even know who has access. They seem to be doing little to know auditing of security access.

  • tedunangst a day ago

    Was the Biden Xi meeting supposed to be a secret? I think it's generally not difficult to locate the president.

  • blackeyeblitzar a day ago

    What’s the point of Strava? Can’t people easily cheat on the results to outcompete others? Like what happens if I use an e-bike to beat the best times?

    • jerlam a day ago

      There is no reward for getting the best time. Also, the people that you beat are extremely motivated to investigate and flag your activity; it will look pretty obvious that it was ridden on an e-bike due to incorrect / missing data like heart rate and wattage.

      I have the record on a short inconsequential running course near me. I occasionally get a notification that someone beat my record and I am forced to look at it; it is always someone on a bike or car, and I flag it and it eventually goes away. Also, my own record activity has been flagged multiple times despite it only being slightly faster than the second place finisher - I no longer bother trying to contest it. The joke is on the flagger since I have run the exact same record time, several times, so I still have the course record.

      • bigiain a day ago

        Not everyone is as chill about that as you.

        https://www.forbes.com/sites/kashmirhill/2012/06/20/a-quanti...

        • recursive a day ago

          It's even possible to do dumb stuff in pursuit of a personal best without using an app at all.

          But it should be noted that the Strava user in question doesn't seem to have been cheating. For some reason, they were trying to set a legitimate score in an ill-advised way. There's no evidence here that cheating in Strava is a problem.

          Is Strava promoting unsafe riding? Maybe. I don't really think so. But it's not connected to the cheating question.

    • mikeryan a day ago

      The vast majority of Strava users are only competing with themselves or, at best, to be atop a daily leaderboard for a somewhat popular segment.

    • r00fus a day ago

      Strava is a social app with a gamification angle. I use the social to share my rides (only) with people who follow me and to view people I follow to get inspired.

      I also use the gamification to compete - but really only against myself.

    • Beretta_Vexee a day ago

      The cycling leaderboard around where I live are full of professional cyclists capable of overtaking an e-bike while remaining in zone 2. People don't use Strava in the hope of getting a good place on the board but to compare themselves with their friends, club members and the pros.To follow their own development and that of their friends, to discover new paths, new events, and so on.

      Above all, it's a social network based around sport. No baby photos, no politics, just people happily practising their sport - it's the anti-Tweeter and it's great.

    • recursive a day ago

      It's fun. Don't take the leaderboards too seriously. The kind of people that would care about high placement at any cost tend not to be the kind of people who care about strava. (mostly)

      People that can legitimately get a KOM on a segment tend to be known in a local community. If someone new shows up at #1, it's pretty obvious looking at their workout if its legit or not to someone familiar with the sport.

      What's the point of wikipedia? Can't people just easily publish fake information? Like what happens if I make an article about myself?

      It's pretty much a solved problem.

      • Rastonbury a day ago

        I once jogged to my car and drove somewhere close forgetting to turn Strava off getting all the PBs and split records

  • kjrfghslkdjfl a day ago

    FitoTrack.

    That's all I have to say about this.

    • harry8 a day ago

      I also endorse FitoTrack on droid as a user.

      Along with Out-Run on iphone.

      Both work well and are pleasant to use. Record your exercise for yourself with no cloud.