Less than seven months ago, a group of journalists and Internet sleuths reported that the fitness-tracking application Strava was revealing highly sensitive information about U.S. military personnel around the world, including in Iraq and Syria. The security breach, which alarmed lawmakers and Pentagon officials, prompted the U.S. military to launch a review of its guidelines for wireless devices at military facilities.
Now, a group of reporters in the Netherlands has found another fitness app that may have placed U.S. military personnel at even greater risk.
Until recently, a fitness app called Polar allowed virtually anyone to access the names, addresses and activities of thousands of soldiers and secret agents, wrote reporters at De Correspondent, a Dutch news website, and Bellingcat, a site that publishes citizen-journalist investigations. In an article published last week, the reporters explained how they were easily able to procure the personal information of more than 6,460 U.S. military and security personnel, including people working at the National Security Agency and the U.S. Secret Service.
Like Strava, Polar created an activity map that showed the exact routes where users exercised. But Polar also tracked and consolidated all the sessions of any single user onto that same map. By simply clicking on a user’s profile, the reporters were able to access that user’s routes, heart rates and activities going as far back as 2014, making it far easier to follow any single user in Polar than it had been in Strava.
Screenshots provided to the Washington Post confirmed that the journalists were able to track the running histories of users stationed at military bases overseas, including Guantanamo Bay Naval Base and Camp Lemonnier in Djibouti, the primary base of operations for U.S. Africa Command in the Horn of Africa.
Given that most users tend to turn their fitness trackers on or off when leaving or entering their homes, government personnel on Polar not only revealed where they worked but also "unwittingly mark[ed] their houses on the map," Dutch researcher Foeke Postma said in a post for Bellingcat.
"Strava allowed people to identify sites ... but this one here, centers in on the individuals that work at that site, and where they live," said Eric Vanderburg, the vice president of the cybersecurity consulting division at TCDI, a software company. The risk posed by Polar for individual users was "definitely more significant," he said.
It is unclear whether Polar is as widely used as Strava, which reportedly adds 1 million new users every 40 days. Dimitri Tokmetzis of De Correspondent estimated that Polar has more than 30 million users, adding that the app is popular in Western Europe — particularly in France — as well as in the United States.
U.S. Army Maj. Audricia Mckinney Harris, a spokeswoman for the Defense Department, said Pentagon officials are aware that a "large" number of the department’s employees use Polar but do not know the exact number.
A week after the Dutch reporters made contact with Polar with their findings, the Finnish company suspended the "Explore" function that allowed people to see user information, the Verge reported. And on the day that reporters published their investigation, the Dutch Ministry of Defense announced that it was banning the installation of fitness apps on government-provided phones, the NL Times reported.
Harris said Pentagon officials have not taken specific steps to address the risks posed by Polar. "Any GPS-enabled device, we know that obviously they come with certain security risks," she said. "So whether it’s this particular name brand or that particular name brand, I think the potential of a security risk still exists. That’s something that DOD has always been aware of."
Following the Strava incident in January, the Defense Department announced that it would review guidelines for GPS-enabled devices. Harris said the review is still in progress; a new policy for Defense Department employees is expected "soon," she said, but declined to provide a more specific timeline.