Strava was used to locate the most powerful people

(theguardian.com)

92 points | by kawera23 小时前

17 comments

  • abetusk22 小时前
    Strava is a fitness app. So, apprently, the security detachment of political figures tends to use the app, presumably because they're into fitness and keep in shape, and their location can be tracked through the app.

    As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.

    The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.

    Crazy stuff.

    • kkielhofner21 小时前
      Shouldn't be much of a surprise, this made news back in 2018 when the same was realized with soldiers and secret military bases:

      https://www.theguardian.com/world/2018/jan/28/fitness-tracki...

    • loeg2 小时前
      More specifically, it's a social network for sharing workout data. Sharing data is like, first and foremost what it's about. It has the same privacy controls you'd expect of social networks (public/friends/private both globally and per post/activity) as well as some that are special to a location-sharing app (hidden addresses).

      This was either a gap in social media policy set for the guards, or a violation of that policy on the part of the guards.

    • netsharc22 小时前
      Yeah, the targetting isn't that difficult, I guess. If you know crown prince Akeem Joffer was in New York 5 days ago, and is in Paris 3 days ago, you can probably diligently query Strava users who weren't in New York for a long time but showed up 5 days ago, and see if they showed up in Paris 3 days ago, and boom, you've found a member of his entourage.

      Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.

  • mandevil22 小时前
    Cell phone tracking is better at surveillance than the best stuff the military has.

    https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.

    And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.

    • jklinger41022 小时前
      Cell phone tracking _is_ what the military has.

      Seeing through walls with WiFi is better. Or slurping up the main pipes and decrypting it. Which they also have.

    • wildzzz21 小时前
      An old coworker used to work on what is basically a Stingray for air platforms with some sort of directional finding capability. Presumably, you'd strap it to a drone and fly it over villages where you suspect bad guys are. Do this every few days and in multiple locations and you'd establish patterns of movements and links between networks of people.
      • giraffe_lady20 小时前
        Or where journalists or doctors are. The technology is neutral, after all.
        • computerthings19 小时前
          All to often "bad guys" are just a fig leaf for the absolute worst guys.

          “Now the police dreams that one look at the gigantic map on the office wall should suffice at any given moment to establish who is related to whom and in what degree of intimacy; and, theoretically, this dream is not unrealizable although its technical execution is bound to be somewhat difficult. If this map really did exist, not even memory would stand in the way of the totalitarian claim to domination; such a map might make it possible to obliterate people without any traces, as if they had never existed at all.”

          - Hannah Arendt

    • taeric22 小时前
      Probably not better than the best stuff the military has... Still really good, mind.

      And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.

      • FactKnower6921 小时前
        >Probably not better than the best stuff the military has...

        Military tech is always a decade ahead of civilian, that's why the US has easily won every armed conflict they've entered into in the past 50 years

        • JohnMakin21 小时前
          I know for a fact that swaths of critical military infrastructure sit in AWS, so I personally doubt this is true.
        • chatmasta21 小时前
          I’m not sure this has been true since the advent of the internet. I don’t believe there’s an entire shadow sphere of academia that is decades ahead of what’s openly published.

          For nuclear energy, this might be true. But for nearly any other topic I’m very skeptical.

        • paganel21 小时前
          > has easily won every armed conflict they've entered into in the past 50 years

          That's just false. Ok, maybe you don't count Vietnam, because the US "entered" there in the '60s, but Afghanistan was a sure loss and I'd say the same for Iraq (seeing how it's now in Iran's sphere of influence, which it wasn't under Saddam). Yes, they might have won some tactical battles, most probably all of them, come to think of it, but the wars themselves were lost.

          • 21 小时前
            undefined
          • magicalhippo21 小时前
            > That's just false.

            Read like sarcasm to me.

            • paganel13 小时前
              I think you’re right, sorry for having missed it in that case.
        • beAbU21 小时前
          Have they though?
  • cj21 小时前
    Related:

    Strava heatmap can be used to locate military bases - https://news.ycombinator.com/item?id=16249955 - Jan 2018 (271 comments)

    Turns out soldiers enjoy tracking their runs around the base!

  • OgsyedIE21 小时前
    The simplest solution to this is bureaucratic. Establish an app approval cybersecurity office within some agency and have the office make two lists: apps that have specific security configurations that need to be enabled and apps that are outright banned.

    Then you just make compliance with the lists necessary for certain security clearances.

    • Muromec20 小时前
      Nononon, you make one list:

      - apps that are allowed to be installed, pinned by version with a person responsible for monitoring them

  • r00fus22 小时前
    This is why I only use Strava to share with my followers.

    Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.

    Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.

    • marcellus2322 小时前
      You can set your activities to be private by default, you don't need to change it for every activity individually after you upload it.
      • r00fus21 小时前
        Yes, mine are. I explicitly share some activities.
    • soco20 小时前
      It's not clear to me whether the location was made using the public, as in shared, information, or information set as private. So did they masquerade as followers, or hacked the system?
    • zardo21 小时前
      > This is why I only use Strava to share with my followers.

      You travel with one of the most powerful people in the world?

    • loeg20 小时前
      You're a bodyguard for a head of state? Probably no one cares about your location.
      • r00fus3 小时前
        This kind of attitude is why we get such bad IoT security.

        Everyone deserves privacy - just like with Facebook, a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.

        • loeg2 小时前
          You claimed that "this" is why you choose a private mode on Strava. But this attack is irrelevant to you. I totally believe you want privacy -- and that's fine -- and Strava provides you a mode that suits your desires.

          I'm taking issue with your statement that locating powerful people is somehow a threat model that is relevant to you. It isn't.

          > a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.

          Everyone using Strava who thinks this is relevant to their threat model is free to use the hidden address privacy feature, or the myriad other privacy features.

          At the end of the day, Strava is an app for sharing your data. You have a lot of options for how much you want to share or limit that sharing. If you don't want to share anything ever, it probably isn't for you.

    • tonymet21 小时前
      I wouldn’t trust their security restrictions. Their API and authentication is primitive. For a while I ran a basic bot to automate data extraction. Their security is 20+ years behind other social networks .

      You likely have bot followers and API calls that can read your latest activity GPX data

      • loeg20 小时前
        Facebook is barely 20 years old. No active social network is "20+ years" advanced of any other, because it's longer than their entire history.
        • itishappy17 小时前
          IRC: 36 years old

          Usenet: 44 years old

          • loeg3 小时前
            US: 248 years old

            What use irrelevant factoids.

            • itishappy2 小时前
              Is the US a social network?
        • tonymet19 小时前
          What takes one person a year takes another person 5
  • TrevorJ21 小时前
    Not sure if the format for this article is standard these days, but oh man do I hate it.
    • davidsawyer21 小时前
      Reads like a remix of how Axios articles are.
  • netsharc22 小时前
    In video form (the Guardian article talks about a Le Monde investigation):

    - Pt 1: https://www.youtube.com/watch?v=4eQKnV0zsMc

    - Pt 2: https://www.youtube.com/watch?v=KX7f1PwXEWg

      • netsharc21 小时前
        Zelensky has suddenly perked up...

        The 2nd video focuses on the US Secret Service, finding 26 profiles of Biden's protection (and 100+ users who were geolocated inside the S.S. training facility). During the credits of that video, a journalist says, "Despite our warning about this issue to the US authorities, 14 of the 26 profiles are still public."

  • slibhb22 小时前
    Was there a breach with Strava or did people simply choose to publish their location publicly?
  • mikeryan22 小时前
    Along these lines some cyclists have had their gear stolen by thieves who figured out where they live from Strava data.

    They have a feature to block part of your route when near your home but some folks aren’t aware of it (or learn the hard way)

    • xarope17 小时前
      Isn't it only a few 100 yards worth? So thieves can still camp out in a 1 square mile area to find that nice carbon fiber bike at 5am in the morning?
      • loeg2 小时前
        You can select a radius of 1/8 to 1 mile.
    • mariusor11 小时前
      Frankly the blocking is a radius around the start and stop points. If they are both at your doorstep, all your rides will extrapolate to points on a circle with a center very easy to determine. The feature as it is, is snake oil for someone determined enough. I started to start and stop my rides some distance out, just to add some variation.
      • loeg2 小时前
        The hidden address feature picks a random centroid near your hidden address, not exactly on it. Averaging out the circle finds that random centroid, not your hidden address.
    • nickff22 小时前
      That feature is fairly recent, and I believe it is now enabled by default.
      • hondo7721 小时前
        If by "is fairly recent" you mean "has been around for over six years", yes.
  • aynyc21 小时前
    Strava deserves all the blames it get, but don't you need some serious skills to find out who are the agents guarding Biden/Harris/Trump? I mean, if you can literally track down the names of Secret Service agents guarding VIPs, then you can probably easily track them with other means (phone for example) no?

    Speaking out of most likely ignorance of Secret Service, I was in the US Marines. I dealt with marine snipers a few times during training exercises, we were mainly serve as security protections. I've seen them train, shoot and handle combat scenarios. If any of those marine snipers want to take shot at a VIP, I can't imagine Secret Service will be able to do anything to stop it. Some of the snipers are putting rounds into a postal stamp at 1,000 yard / 900 meters.

    • loeg20 小时前
      > Strava deserves all the blames it get

      Not sure why Strava deserves any blame here. It's explicitly a social network for sharing your location and other training data. If you use it and share your location, that's it functioning exactly as designed.

      • MR_Bulldops20 小时前
        Strava has (rightfully) received no blame, so they were accidentally right!
        • loeg20 小时前
          It's pretty clear that at least some users in this thread blame Strava for some things.
  • sam_lowry_22 小时前
    The problem with Strava is how invasive their location sharing is.

    One has to actively search to disable it. And the integrations with Garmin Connect and the others are even worse.

    • notatoad21 小时前
      it's not "invasive", it's a location sharing app.

      if you don't want to share your location, you probably should not use location-sharing apps.

      • RobRivera20 小时前
        A fitness app that features location-sharing features.

        When I think of location sharing apps, I think of garmin inreachme for search amd rescue.

  • wslh16 小时前
    Other sources: Haaretz Investigation: Intelligence Operation Collected Information on Sensitive Israeli Bases, Soldiers <https://www.haaretz.com/israel-news/security-aviation/2024-1...> <https://archive.is/2024.10.29-113518/https://www.haaretz.com...>
  • TheRealPomax20 小时前
    I guess strava users didn't learn from the first time.
  • tonymet21 小时前
    Strava has suffered from this and had known attacks for 10+ years now. There was a famous case around Colorado of a mistaken doxxing attack driven by Reddit. Due to mistaken identity, attackers pursued an innocent victim using their Strava account. The Strava location was the cause of both the mistaken identity case and abused to find and dox the victim.

    Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.

    The company has never adequately responded to privacy concerns despite many abuse cases.

    • loeg20 小时前
      > Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.

      That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.

      • mariusor11 小时前
        That's something I didn't know, but even like that, it narrows down the area.
        • loeg3 小时前
          Sure, but it's pretty obvious that exposing most of your activity except for the start and end location will do that. Strava allows you to choose the hidden radius from a range of values between 1/8 mile and a full mile. That's a pretty wide area. (And you can always make specific activities or your entire account private.)

          Anyway, I think true claims make for much more interesting criticism than false claims.

    • paganel21 小时前
      People should just stop using Strava, or at least stop making their Strava data public to the world (not sure if that's an option cause I've never used that app). They should just run/cycle, whatever, forget about gps.
      • tonymet2 小时前
        Strava doesn’t even know who has access. They seem to be doing little to know auditing of security access.
      • loeg20 小时前
        > not sure if that's an option cause I've never used that app

        You can make your account private, or individual activities private (including by default).

  • tedunangst20 小时前
    Was the Biden Xi meeting supposed to be a secret? I think it's generally not difficult to locate the president.
  • blackeyeblitzar22 小时前
    What’s the point of Strava? Can’t people easily cheat on the results to outcompete others? Like what happens if I use an e-bike to beat the best times?
    • jerlam21 小时前
      There is no reward for getting the best time. Also, the people that you beat are extremely motivated to investigate and flag your activity; it will look pretty obvious that it was ridden on an e-bike due to incorrect / missing data like heart rate and wattage.

      I have the record on a short inconsequential running course near me. I occasionally get a notification that someone beat my record and I am forced to look at it; it is always someone on a bike or car, and I flag it and it eventually goes away. Also, my own record activity has been flagged multiple times despite it only being slightly faster than the second place finisher - I no longer bother trying to contest it. The joke is on the flagger since I have run the exact same record time, several times, so I still have the course record.

      • bigiain21 小时前
        Not everyone is as chill about that as you.

        https://www.forbes.com/sites/kashmirhill/2012/06/20/a-quanti...

        • recursive20 小时前
          It's even possible to do dumb stuff in pursuit of a personal best without using an app at all.

          But it should be noted that the Strava user in question doesn't seem to have been cheating. For some reason, they were trying to set a legitimate score in an ill-advised way. There's no evidence here that cheating in Strava is a problem.

          Is Strava promoting unsafe riding? Maybe. I don't really think so. But it's not connected to the cheating question.

    • mikeryan21 小时前
      The vast majority of Strava users are only competing with themselves or, at best, to be atop a daily leaderboard for a somewhat popular segment.
    • r00fus22 小时前
      Strava is a social app with a gamification angle. I use the social to share my rides (only) with people who follow me and to view people I follow to get inspired.

      I also use the gamification to compete - but really only against myself.

    • Beretta_Vexee21 小时前
      The cycling leaderboard around where I live are full of professional cyclists capable of overtaking an e-bike while remaining in zone 2. People don't use Strava in the hope of getting a good place on the board but to compare themselves with their friends, club members and the pros.To follow their own development and that of their friends, to discover new paths, new events, and so on.

      Above all, it's a social network based around sport. No baby photos, no politics, just people happily practising their sport - it's the anti-Tweeter and it's great.

    • recursive21 小时前
      It's fun. Don't take the leaderboards too seriously. The kind of people that would care about high placement at any cost tend not to be the kind of people who care about strava. (mostly)

      People that can legitimately get a KOM on a segment tend to be known in a local community. If someone new shows up at #1, it's pretty obvious looking at their workout if its legit or not to someone familiar with the sport.

      What's the point of wikipedia? Can't people just easily publish fake information? Like what happens if I make an article about myself?

      It's pretty much a solved problem.

      • Rastonbury19 小时前
        I once jogged to my car and drove somewhere close forgetting to turn Strava off getting all the PBs and split records
  • kjrfghslkdjfl21 小时前
    FitoTrack.

    That's all I have to say about this.

    • harry821 小时前
      I also endorse FitoTrack on droid as a user.

      Along with Out-Run on iphone.

      Both work well and are pleasant to use. Record your exercise for yourself with no cloud.