Your Favorite Fitness Apps Are Leaving US Military Bases Abroad Exposed

A screenshot from Strava's Global Heat Map, which shows GPS activity among users of personal fitness trackers over a two-year period
Screenshot Strava

The first rule of operational security, according to a major 2014 revision to Army regulations, is to maintain “essential secrecy” by “the denial of critical information to adversaries” like force strength, capabilities, objectives, and, most importantly, position. But all of the Defense Department’s opsec planning appears no match for a $100 consumer fitness wristband — an apparent security oversight that could put U.S. troops in danger downrange.

First noticed by Middle East analyst Nathan Ruser on Saturday, an online map published by Strava, a company that gathers data on consumer fitness gadgets like FitBit, Jawbone, and app-enabled smartphones through GPS tracking, appeared to show the locations and behavior of U.S. military personnel deployed downrange.

According to the Washington Post, Strava’s Global Heat Map isn’t live — first unveiled in November 2017, it’s based on 13 trillion GPS data points collected over a two-year period through that September — but it purports to reveal Marine Corps firebases in the deserts of Syria, a Patriot missile defense battery in Yemen, and U.S. special operations forces deployed near a previously unknown U.S. installation in Niger. And it isn’t just U.S. forces exposed by their own fitness gadgets: According to the Daily Beast, the Strava data even appears to reveal a major security flaw in Taiwan's missile command center. The data hosted on Strava’s site is specific enough that it identified more than 50 U.S. service members by name based on their jogging runs in the area surrounding a remote air base in Afghanistan.

Screenshot Strava

A screenshot of the Strava Global Heat Map that appears to show U.S. military personnel flitting into Afghanistan’s Nangarhar Province, the site of heavy fighting between U.S. forces and Taliban and ISIS militants in 2017.

Although the Strava tool doesn’t offer a real-time view of the battlespace, it certainly exacerbates fears that U.S. military personnel might end up vulnerable thanks to their unsecured consumer tech. In 2016, a pro-Russian hacker group used a malicious Android app as a Trojan horse to track the locations of Ukrainian artillery units amid simmering tensions on the border between the two countries; as recently as October 2017, U.S. troops deployed with NATO in Poland and the Baltics reported that the Russian military had purportedly used surveillance drones to attempt to access geolocation data stored on personal smartphones.

While the revelation that U.S. troop locations are so easily exposed by consumer technology is embarrassing, it isn’t nearly as embarrassing as the DoD’s apparent lack of foresight regarding the security breach. Not only has Strava in particular been in the public consciousness as early as 2014, when data first entered into domestic court proceedings surrounding pedestrian accidents, but the Pentagon has been thinking critically about OPSEC issues posed by personal technology for at least a decade as the rise of smartphones and social media made consumer GPS tracking and location-sharing apps a major security concern. In 2007, photos of several brand-new AH-64 Apache helicopters on the flight line of a U.S. military installation in Iraq, taken by Army soldiers and uploaded to the Internet, ended up revealing the exact latitude and longitude of aircraft within the compound’s perimeter, allowing enemy insurgents to destroy several with precise mortar strikes from a safe distance.

Considering that deriving location data from a photo is relatively simple even for the uninitiated, the Pentagon offers a whole raft of training and education materials regarding OPSEC and INFOSEC risks and vulnerabilities on every communications platform from social media to smartphones. But the DoD doesn’t appear to have extended the same scrutiny to the data collected by GPS trackers like Jawbone and FitBit. Indeed, the Army began issuing commercial FitBit Flex bands to soldiers at several bases in 2013 in an effort to fight obesity and improve overall fitness. Hell, even former NSA director Michael Hayden stated plainly in April 2014 that “we kill people based on metadata.” When, then wouldn’t our enemies?

When reached by Task & Purpose, Pentagon spokesman Maj. Audricia Harris said that annual DoD OPSEC training “recommends limiting public profiles on the internet, including personal social media accounts,” and that the Pentagon’s current OPSEC requirements “provide further guidance for military personnel supporting operations around the world.” Apparently, other GPS-enabled devices are not a major part of that conversation, a major problem given the growing ecosystem of consumer software that track your every move. And while a 2016 Marine Corps guidance explicitly states that Bluetooth and GPS-enabled personal fitness devices are only prohibited at facilities if they utilize “cellular or Wi-Fi, photographic, video capture/recording, microphone, or audio recording capabilities,” that conversation clearly needs to happen again.

But despite the existence of this backdoor into U.S. military locations, the Pentagon appears set on using the Strava debacle to take a long, hard look at its current OPSEC environment. Officials announced on Jan. 29 that the Pentagon would conduct a review of wearable electronic devices and smartphones, although they did not provide any specifics on the scope and duration of the review.

“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Harris told Task & Purpose. “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”

U.S. Army/ Staff Sgt. Jacob Connor

Members of 5th Special Forces Group (A) conducting 50. Cal Weapons training during counter ISIS operations at Al Tanf Garrison in southern Syria.

“Operational security and force protection requires constant vigilance,” Pentagon spokesman Col. Rob Manning told reporters during a press briefing on Jan. 29. “Secretary Mattis has been very clear about not highlighting our abilities to aid the enemy or give the enemy any advantage. That would be our approach going in on this as well.”

In the meantime, Strava has a better suggestion for U.S. military personnel: Take five seconds and just opt out of sharing your data with us!

“We are committed to helping people better understand our settings to give them control over what they share,” the company told The Guardian in a statement on Jan. 29. “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”

Task & Purpose Senior Pentagon correspondent Jeff Schogol contributed reporting.


Want to read more from Task & Purpose? Sign up for our daily newsletter »

A Marine wanted for killing his mother's boyfriend reportedly escaped police by hiding inside an RV they'd spent hours searching before towing it to a parking lot, where he escaped under the cover of darkness.

It wasn't until more than two weeks later authorities finally caught up to Michael Brown at his mom's home, which was the scene of the crime.

Brown stuffed himself into a tight spot in his camper during an hours-long search of the vehicle on Nov. 10, according to NBC affiliate WSLS in Virginia. A day earlier, cops said Brown fatally shot his mother's boyfriend, Rodney Brown. The AWOL Marine remained on the lam until Nov. 27, where he was finally apprehended without incident.

Read More Show Less

No motive is yet known for last week's Pearl Harbor Naval Shipyard shooting tragedy, which appears to have been a random act of violence in which the sailor who fatally shot two civilian workers and himself did not know them and did not plan his actions ahead of time, shipyard commander Capt. Greg Burton said in an "All Hands" message sent out Friday.

Machinist's Mate Auxiliary Fireman Gabriel Antonio Romero of San Antonio, an armed watch-stander on the attack submarine USS Columbia, shot three civilian workers Dec. 4 and then turned a gun on himself while the sub rested in dry dock 2 for a major overhaul, the Navy said.

"The investigation continues, but there is currently no known motive and no information to indicate the sailor knew any of the victims," Burton said.

Read More Show Less
A projectile is fired during North Korea's missile tests in this undated picture released by North Korea's Central News Agency (KCNA) on November 28, 2019. (KCNA via Reuters)

SEOUL (Reuters) - North Korea said it had successfully conducted another test at a satellite launch site, the latest in a string of developments aimed at "restraining and overpowering the nuclear threat of the U.S.", state news agency KCNA reported on Saturday.

The test was conducted on Friday at the Sohae satellite launch site, KCNA said, citing a spokesman for North Korea's Academy of Defence Science, without specifying what sort of testing occurred.

Read More Show Less

Since the Washington Post first published the "Afghanistan papers," I have been reminded of a scene from "Apocalypse Now Redux" in which Army Col. Walter Kurtz reads to the soldier assigned to kill him two Time magazine articles showing how the American people had been lied to about Vietnam by both the Lyndon Johnson and Richard Nixon administrations.

In one of the articles, a British counterinsurgency expert tells Nixon that "things felt much better and smelled much better" during his visit to Vietnam.

"How do they smell to you, soldier?" Kurtz asks.

Read More Show Less
Erik Prince arrives for the New York Young Republican Club Gala at The Yale Club of New York City in Manhattan in New York City, New York, U.S., November 7, 2019. (REUTERS/Jeenah Moon)

WASHINGTON (Reuters) - Erik Prince, the controversial private security executive and prominent supporter of U.S. President Donald Trump, made a secret visit to Venezuela last month and met Vice President Delcy Rodriguez, one of socialist leader Nicolas Maduro's closest and most outspoken allies, according to five sources familiar with the matter.

Read More Show Less