Over the weekend, media outlets De Correspondent and Bellingcat reported that they were able to uncover the names of more than 6,400 military and intelligence agency personnel in many countries – simply by looking up their fitness activities in Polar’s insecure app.
To be clear, the reporters didn’t have to breach any networks: they simply accessed the company’s Flow app, which is used by owners of Polar fitness trackers to log their workouts – including the routes they take during their runs and jogs.
Essentially, they simply looked up the Explore map in the app to find people working out near locations like the White House, the NSA, London’s MI6, and even 48 nuclear weapon storage facilities. From there, it was possible to find out the names of some of those users – including those who’d chosen to keep their data private.
They were also able to find out the start and end points for these workout routines, and thereby ascertain some users’ home addresses.
While Polar is hardly the only company to display users’ workout data and profiles (Strava, Runkeeper and Endomondo do this as well), its map was the only one that let the reporters see every fitness routine recorded all the way back to 2014.
The activity map was taken offline last Friday; De Correspondent says it informed the Dutch Ministry of Defense about the issue two weeks ago, and foreign ministries and intelligence agencies have been alerted as well.
In a similar incident, Strava found itself in hot water in January: it released a heat map showing the fitness activity of its users from around the world, which was an attempt to highlight its active user base – but it inadvertently made it possible to figure out how people move around sensitive locations like foreign military bases. It’s also odd that Polar didn’t learn from Strava’s mistake.
Naturally, this will lead to stricter guidelines for personnel at such facilities as to which devices they can and can’t use for fitness tracking. For tech companies, it stresses the importance of mapping the wide range of pitfalls of capturing and sharing data with their communities.