Can using fitness trackers pose a security risk? We bring you this assessment from Net Security specialists e-Scan:
February 10 2018: Fitness Apps are the latest fad in this tech crazy world. Fitness tracking industry has grown manifold with apps and fitness tracking devices being offered at throw away prices. There are more than 25 Fitness Tracking Apps, with each providing their users with valuable analytics and statistics, to name a few, apps like Sports Tracker, Strava, Joy Run, Map My Ride are highly popular with a huge customer base. Furthermore, the fitness devices manufactures are plenty with Fitbit, Amazfit , Fitbit, Garmin, Microsoft band etc. and the mentioned apps, provide connectivity with these devices, allowing users to upload their tracking data and take advantage of the various services which they have to offer.
Strava is one such app, freely available for download and can connect to most of the Fitness Tracking devices like Fit-bit, Amaz-fit etc. Very recently, Strava in order to up the ante released a heat-map comprising of almost a billion activities with over 13 trillion GPS Points.
The engineers at Strava went to great lengths to anonymize the heat-maps, excluded points such as driving route points based on velocity, stationary points, GPS corrections etc. Furthermore, private areas as designated by the users in their profile were also excluded along with the profiles who had opted to keep their data private were also excluded from the heat-map.
Private areas are also known geo-fencing, wherein the user selects a geographical area and the application processes the data points within that particular area as per its designated functionality and is kept private. However, it is to be noted that, nevertheless the data points are stored on the server for providing various services as mentioned by the Fitness Tracker.
Strava allows users to ensure that their GPS activity is kept private but due to the fact that it allows users to provide their username / nickname, the accounts at as anonymous as you configure it.
India and Fitness Tracking: Indians have adopted this technology at a very large scale. The heat-map is highly informative and on a larger scale it lights up India, showing all the high density routes with the highest concentration of fitness tracking activity is within the cities.
eScan believes that National Security of a country is not limited to those serving the armed forces but also extends to those who provide support services. Furthermore, the adoption of civilian technology should be limited and heavily monitored. Years ago when Google came out with Google Maps, Defense sector was the hit hardest, as their prime objective of putting up barricades and restricting physical access of civilians to Military restricted zones fell flat on its face. Within a few years, Google was forced to pixelate the designated restricted zones.
With the release of heat-maps by Strava, one facet of the truth pertaining to entity / personnel tracking has been laid bare. Although other tracking services have not released the statistics / heat-maps but it is very obvious the amount of data which can identify you, your daily routine is accessible and this data in the hands of a rogue nation / entity would spell doom to the entire security infrastructure of the country.
Strava, although offers some form of anonymity to its users but according to eScan's observation that it is the human tendency to lower their guard and as it is in numerous cases, they are totally ignorant about the technology and its ill-effects.
Using Strava, it is possible to upload Fake Timed-GPS routes and generate a list of people using that route segment. Based on this information, one can also view their route history from other locations. From National Defense point of view, this poses a serious threat since the personnel are always on the move.
According to the analysis of the heat-map by eScan, it was quite evident that Indian Defense Establishment has implemented IT Security Guidelines for its forward bases, as all the heat-trails terminate at the check-point. The heat-map of the trails has also revealed the routes used by patrolling teams and in some cases high travel activity along the border. However, not all bases / defense establishments have restricted the usage of Civilian GPS Fitness Trackers and the heat-trails clearly show the heavily used travel routes.
The Threat is real: Be it a fitness or a rogue smart-phone app, these apps store the information their servers and the data can be analyzed for a variety of purposes there is also a possibility of profiling, deriving the co-relationship between two or more entities. Furthermore, data breach at these organizations would be highly lucrative for the hackers and state actors alike.
In 2017 we have seen umpteen numbers of data breaches, involving Financial Institutions and due to the fact that the stolen information had financial repercussions these incidents were highlighted. However, whenever there has been an incident involving malware with the capability of tracking, the impact has been dismal. With the release of Fitness Tracking Heat-Map, it is perceived that there would be stricter measures to restrict non-approved GPS Devices / Apps, furthermore the startling insights provided by this heat-map is a bleak reminder that Strava is just one of the numerous organizations which store the highly sensitive GPS Tracking Data. Furthermore, organizations storing GPS-Tracking Data should implement stricter data access controls and conduct regular security audits of their infrastructure.
-----------------------------------------------------------------------------------------------------------
India heat map and other tracker data maps from sensitive areas: see here
-----------------------------------------------------------------------------------------------------------
eScan Advisory