Joggers have been using a fitness app in sensitive intelligence and military locations – including where the Royal Navy stores its nuclear weapons, it emerged today.
A heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows runners using it at HM Naval Base Clyde.
One of the heatmaps posted on the app from within the base near Glasgow, also known as Faslane, is even captioned: ‘You shouldn’t be using Strava here.’
The maps have also disclosed a US Special Operations base in the Sahel region of Africa, a Patriot missile system in Yemen and drones on an airbase in Djibouti.
One of the maps posted on the Strava app from within HM Naval Base Clyde near Glasgow, also known as Faslane, is even captioned: ‘You shouldn’t be using Strava here’
The heatmaps recorded by Strava show activity in and around various military bases around the world, suggesting users are soldiers on active duty.
People who create a free account can find other users who regularly use certain routes, potentially alerting terrorists or foreign powers to soldiers on active duty.
The HMNB Clyde map was investigated by Mustafa Al-Bassam, a former hacker who is now a PhD researcher in computer science at University College London.
He tweeted: ‘This is Strava fitness tracker data at HMNB Clyde, a military base where Britain’s nuclear weapons are stored.
‘How are the security checks so bad in these places that employees are allowed to bring arbitrary electronic devices in close proximity to nukes?
A heatmap of GPS data recorded by Strava, a mobile app which allows users to track their jogging routes, shows runners using it at HM Naval Base Clyde
‘Someone even created a Strava run segment in the UK nuclear weapons military base (HMNB Clyde) called ‘You shouldn’t be using Strava here’, but it was clearly ignored by employees.
‘How the f*** are employees of a nuclear weapons facility being allowed to bring Fitbits and random electrical devices inside a base where nukes are stored?’
There are concerns that communication devices or fitness trackers such as the Fitbit or Jawbone could be intercepted or hacked within secure zones.
This could then lead to the people using them being tracked in real time by criminals, posing a security risk when they then leave that secure location.
Other potentially sensitive locations mapped in the UK include Sandhurst military academy and Government Communications Headquarters (GCHQ) in Cheltenham.
A Strava spokesman said the heatmap ‘excludes activities that have been marked as private and user-defined privacy zones’.
Other potentially sensitive locations in the UK where joggers have been using Strava include the Government Communications Headquarters (GCHQ) in Cheltenham
‘We are committed to helping people better understand our settings to give them control over what they share,’ they added.
Anyone can create an account for free and find routes, or ‘segments’ around military bases.
The app also shows which users have publicly recorded their times on certain routes and many people on Twitter have pointed out that anyone could use such information to find other social media profiles for soldiers.
Nathan Ruser, a student from Canberra in Australia, identified what he believed was a regular jogging route for soldiers in Afghanistan.
‘Hopefully it’s a learning experience for the different military communities and they can toe that line between convenience and security,’ he told the Sydney Morning Herald.
Others identified a US base in Nigeria and app users at Bagram air base in Iraq.
Writing for the website The Daily Beast, international security expert Jeffrey Lewis showed how anyone could identify users at a military base in Taiwan and potentially find other bases as a result.
The heatmaps recorded by Strava show activity in and around various military bases around the world, suggesting users are soldiers on active duty. Pictured: HM Naval Base Clyde
‘If our user casually jogging by Taiwanese missiles day after day suddenly appears deployed to a new location, well that’s very interesting if you are targeting missiles for China’s Rocket Force,’ he wrote.
Users are able to make their data private, but Mr Lewis also raised concerns about whether data which has been set to private could be hacked.
Strava published a major update to the heatmap in November 2017, including ‘six times more data than before’, but investigators only spotted the security breach this weekend.
A Ministry of Defence spokesman said: ‘The MOD takes the security of its personnel and establishments very seriously and keeps them under constant review.
‘However, for obvious reasons we do not comment on our specific security arrangements or procedures.’
Running app Strava accidentally reveals the location of US military bases across the world and shows DRONES on a runway in leak of sensitive information that could aid terrorists
BY KHALEDA RAHMAN FOR DAILYMAIL.COM
The locations of American and allied military bases across the world have been revealed by a running app after soldiers uploaded their routes to it.
Strava, a GPS tracker that tells runners how far and how fast they have gone, created an interactive online map of the routes posted by all of its users.
However, security analysts have noticed that the Global Heat Map has highlighted sensitive military bases in countries such as Afghanistan, Iraq and Syria.
It has disclosed a US Special Operations base in the Sahel region of Africa, a Patriot missile system in Yemen and drones on an airbase in Djibouti.
Soldiers have unwittingly revealed the information by recording their routes as they run around the bases on Strava, which can be synchronized to Fitbit and Jawbone.
The routes taken by subscribers over the last two years have been revealed on the satellite map of the world.
A map showing routes taken by users of an exercise tracking app reveals potentially sensitive information about American soldiers across the world, including in Iraq (pictured)
It shows a great deal of activity in the United States and Europe. But in war zones and deserts in countries like Iraq, Djibouti and Syria, the heat map becomes almost entirely dark — except for scattered evidence of activity.
A closer look at those areas brings into focus the locations and outlines of known US military bases as well as other lesser-known and potentially sensitive sites.
The data could provide information to someone who wants to attack or ambush troops.
The map is not live, but shows a pattern of accumulated activity between 2015 and September 2017.
The Global Heat Map was posted online in November 2017, but the information it contains was only publicised recently after Nathan Ruser, an Australian studying international security came across it.
He tweeted about it, prompting other analysts, military experts and ex-soldiers to scour the map for evidence of activity in sensitive locations.
Adam Rawnsley noticed there was a lot of jogging on a beach near a suspected CIA base in Mogadishu, Somalia.
Ben Taub located a US Special Operations base in the Sahel region of Africa.
Another person said he found the site of a Patriot missile system in Yemen.
In Afghanistan, several locations in the country’s south and west are a hive of activity
‘In Syria, known Coalition (i.e. US) bases light up the night,’ one analyst said on Twitter
Smaller sites also appear on the map in northern and western Iraq, indicating the presence of other, lesser-known installations
Jack Nelson wrote on Twitter that it took him 30 seconds to find a US air base in Djibouti.
However, since the map doesn’t identify the app’s users, it’s difficult to determine what some sites are.
They could be linked to aid organizations, UN facilities or military bases for other countries, Tobias Schneider, a security analyst who was among the group of people who highlighted the military bases shown on the map, noted.
Schneider also noted that it shows military sites in Syria and Iraq as well as the Madama base used by French forces in Niger.
‘In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable coloring for Iranian bases,’ Schneider wrote on Twitter.
US troops are deployed in support of local forces battling ISIS in Syria as well as Iraq, while Russian and Iranian units are backing President Bashar al-Assad’s Syria government in that country’s civil war.
One Twitter user said it took seconds to find what he says is a US drone base in Djibouti (above)
‘I wonder who’s running around this apparently abandoned airfield in Somalia,’ Jack Nelson wrote alongside these images
One Twitter user noticed there was a lot of jogging on a beach near a suspected CIA base in Mogadishu, Somalia (above)
‘A lot of people are going to have to sit thru lectures come Monday morning,’ Schneider wrote, referring to soldiers likely to be taken to task for inadvertently revealing sensitive information while trying to keep in shape.
‘Bases are fixed & hard to conceal,’ he wrote, so the ‘biggest potential threat is to tracking movement.’
He added: ‘Think beyond Strava to what creative analysts (from nosy twitter sleuths to *cough* darker forces) can do with even seemingly innocuous bits of meta data.’
While some of the bases are well known to groups that might want to attack them, the map also shows what appear to be routes taken by forces moving outside of bases – information that could be used in planning bombings or ambushes.
The map of Iraq is largely dark, indicating a limited use of the app in the country.
Tobias Schneider noted that it shows military sites in Syria and Iraq as well as the Madama base used by French forces in Niger
But a series of well-known military bases, where American and allied forces have been deployed as part of their war against the Islamic State terror group, are highlighted in detail.
These include Taji north of Baghdad, Qayyarah south of Mosul and Al-Asad in Anbar Province.
Smaller sites also appear on the map in northern and western Iraq, indicating the presence of other, lesser-known installations.
Stretches of road are also highlighted, indicating that Strava users kept their devices on while traveling, potentially providing details about commonly-taken routes.
In Afghanistan, Bagram Airfield north of Kabul is a hive of activity, as are several locations in the country’s south and west.
And in Syria, Qamishli in the northwest, a stronghold of US-allied Kurdish forces, is clearly visible.
Another person said he found the site of a Patriot missile system in Yemen using the map
Potentially sensitive information can be gleaned outside of war zones.
A map of the US air force base known as Area 51 near Homey Airport in Nevada shows a cyclist travelling from the base along the edge of Groom Lake.
RAF Mount Pleasant on the Falkland Islands is lit up brightly, revealing the exercise regimen of the 1,000 British soldiers stationed there, according to the Guardian.
Strava says it has 27 million users around the world, including people who own widely available fitness devices, as well as people who directly subscribe to its mobile app.
The map shows the movements of its app users around the world, indicating the intensity of travel along a given path – a ‘direct visualization of Strava’s global network of athletes,’ it says.
But the issue could have been fairly easily avoided.
Strava says it has 27 million users around the world, including people who own widely available fitness devices
According to Strava, ‘athletes with the Metro/heatmap opt-out privacy setting have all data excluded’ from the mapping project.
The US Department of Defense has said it is ‘reviewing’ the situation.
‘Recent data releases emphasize the need for situational awareness when members of the military share personal information,’ Major Audricia Harris, a Pentagon spokeswoman, told AFP.
‘DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad,’ Harris said.
The Pentagon ‘recommends limiting public profiles on the internet, including personal social media accounts,’ she said.