The Strava app has struck again. This time, a French nuclear submarine’s position and patrol dates were inadvertently leaked by crew members logging their runs on the fitness app Strava.
The crew members at the Île Longue in Brest Harbour in Finistère, home to France’s four nuclear submarines, have been logging their fitness activities on the app, and as the accounts went quiet, it suggested the submarine was on patrol.
The sporting activities of the Strava members on the app are accompanied by a map of the location where the users completed their exercise.
Mobile phones are prohibited in the highly secured base where drones keep round-the-clock surveillance. However, the sensitive information was leaked because of the users of the fitness app.
An investigation by French paper Le Monde revealed that over the last decade, 450 users have been active at the base, and in most of the cases, the users have not used any pseudonyms for their public profile, allowing anyone to access their routines.
A crew member recorded 16 activities in January 2023. On February 3, 2023, he ran where the submarines were moored, recording his times and locations on the app. His account went dormant the next month. And he became active again only on March 25, 2023. Similarly, two other users stopped their training on Strava after February 3 and resumed around March 25.
This indicated that the three men were onboard a nuclear submarine on patrol. Later one of the users also confirmed his inactivity by posting: ‘It’s tough to get back into sport after more than two and a half months in a poo box’. He posted the message attached with emojis representing bubbles and a diving mask.
The French Navy told Le Monde that despite the mobile phone ban, smartwatches could have passed security, allowing the men to record their runs on the base.
The Navy acknowledged that there was ‘negligence on the part of the personnel which do not necessarily constitute flaws that could affect the activities of the operational base on Île Longue’.
The Navy has not ruled out that Russia could have also accessed this information.
The last races completed by the crew members before their departure were on the docks where the submarines are moored, an area where access is strictly controlled and sports activities are rare. Runs on the docks can indicate the imminent departure of one of the submarines.
‘Fit Leaking’ has been disrupting the confidentiality of the military world.
Experts define Fit Leaking as “when fitness activities, recorded for personal benefit, emit into signals that reveal sensitive and confidential information.” The term was coined by University of Toronto’s Citizen Lab Senior Researcher John Scott-Railton to describe how one company’s “God’s Eye View” of fitness data reveals large amounts of secret and private information.
Scott-Railton’s research showed that the information could be used to identify a covert military outpost through a consistent pattern of exercise activity and patrol routes at a military base or outside of it. The personnel activity rate at an embassy or installation can be monitored to reveal important information about activities and strategy.
Where Enemy Cannot Reach, Strava Reaches
Geolocation data gathered by Strava’s fitness tracker is a treasure trove of information. One can identify secret military facilities in “dark areas” and specific identifiable behavior patterns of at-risk individuals.
Strava took the military world by storm when it released its data visualization map in 2017, which showed every single activity uploaded by its users – a massive three trillion GPS data points. Strava is a social network for athletes, and the global heatmap was a visualization of over one billion activities from its athletes across land and sea.
The ‘global heatmap’ in major cities illuminated the popular running routes. However, in conflict regions, the heat map lit up the military bases by aggregating the concentrated activities of exercise-focused individuals- such as military personnel. The heatmap revealed secret military bases for the US and other countries. This raised massive privacy and security concerns, prompting Strava to allow its users to conceal their location.
In another dangerous incident, Royal Navy officers at Faslane Naval Base, where Britain’s Trident nuclear deterrent is based, inadvertently leaked their details, including when they were onboard nuclear submarines.
Strava has around 95 million users across the globe. It has a feature where a user could have a private profile but still appear in public speed rankings for a particular location. Often, the users are oblivious that their identity is made public.
Strava lets users create “segments,” where short public routes are tagged to geographical coordinates. If someone runs on a route in a “segment,” their time appears in competitive rankings. The personnel who had access to the Faslane Base had created several segments. One of them was even titled “Race to the Home of the UK Submarine Service,” and another was titled “RM BFT,” an abbreviation for Royal Marines basic fitness test.
Leveraging a flaw in Strava, you could track and identify personnel at secret Israeli military, intelligence, and nuclear sites. All you needed to do was create a fake jogger and see who else had exercised in similar areas.
In June 2022, some unknown operatives planted fake ‘segments’ at Israeli military bases. This enabled the person to see who had run along the route and even track them to other countries. Details of roughly 100 Israeli officers, including names, photos, and movements, were leaked to outsiders through Strava.
This flaw also exposed locations of several highly sensitive sites in Israel, including the precise locations of army and air force bases, Mossad headquarters, and military intelligence bases.
Earlier in 2018, the fitness tracking app had introduced a new feature that showed the most popular running routes, and the data revealed a US Army base in the Middle East, where its soldiers were recording runs.
