Your Favorite Fitness Apps Are Leaving US Military Bases Abroad Exposed

Gear
A screenshot from Strava's Global Heat Map, which shows GPS activity among users of personal fitness trackers over a two-year period
Screenshot Strava

The first rule of operational security, according to a major 2014 revision to Army regulations, is to maintain “essential secrecy” by “the denial of critical information to adversaries” like force strength, capabilities, objectives, and, most importantly, position. But all of the Defense Department’s opsec planning appears no match for a $100 consumer fitness wristband — an apparent security oversight that could put U.S. troops in danger downrange.


First noticed by Middle East analyst Nathan Ruser on Saturday, an online map published by Strava, a company that gathers data on consumer fitness gadgets like FitBit, Jawbone, and app-enabled smartphones through GPS tracking, appeared to show the locations and behavior of U.S. military personnel deployed downrange.

According to the Washington Post, Strava’s Global Heat Map isn’t live — first unveiled in November 2017, it’s based on 13 trillion GPS data points collected over a two-year period through that September — but it purports to reveal Marine Corps firebases in the deserts of Syria, a Patriot missile defense battery in Yemen, and U.S. special operations forces deployed near a previously unknown U.S. installation in Niger. And it isn’t just U.S. forces exposed by their own fitness gadgets: According to the Daily Beast, the Strava data even appears to reveal a major security flaw in Taiwan's missile command center. The data hosted on Strava’s site is specific enough that it identified more than 50 U.S. service members by name based on their jogging runs in the area surrounding a remote air base in Afghanistan.

Screenshot Strava

A screenshot of the Strava Global Heat Map that appears to show U.S. military personnel flitting into Afghanistan’s Nangarhar Province, the site of heavy fighting between U.S. forces and Taliban and ISIS militants in 2017.

Although the Strava tool doesn’t offer a real-time view of the battlespace, it certainly exacerbates fears that U.S. military personnel might end up vulnerable thanks to their unsecured consumer tech. In 2016, a pro-Russian hacker group used a malicious Android app as a Trojan horse to track the locations of Ukrainian artillery units amid simmering tensions on the border between the two countries; as recently as October 2017, U.S. troops deployed with NATO in Poland and the Baltics reported that the Russian military had purportedly used surveillance drones to attempt to access geolocation data stored on personal smartphones.

While the revelation that U.S. troop locations are so easily exposed by consumer technology is embarrassing, it isn’t nearly as embarrassing as the DoD’s apparent lack of foresight regarding the security breach. Not only has Strava in particular been in the public consciousness as early as 2014, when data first entered into domestic court proceedings surrounding pedestrian accidents, but the Pentagon has been thinking critically about OPSEC issues posed by personal technology for at least a decade as the rise of smartphones and social media made consumer GPS tracking and location-sharing apps a major security concern. In 2007, photos of several brand-new AH-64 Apache helicopters on the flight line of a U.S. military installation in Iraq, taken by Army soldiers and uploaded to the Internet, ended up revealing the exact latitude and longitude of aircraft within the compound’s perimeter, allowing enemy insurgents to destroy several with precise mortar strikes from a safe distance.

Considering that deriving location data from a photo is relatively simple even for the uninitiated, the Pentagon offers a whole raft of training and education materials regarding OPSEC and INFOSEC risks and vulnerabilities on every communications platform from social media to smartphones. But the DoD doesn’t appear to have extended the same scrutiny to the data collected by GPS trackers like Jawbone and FitBit. Indeed, the Army began issuing commercial FitBit Flex bands to soldiers at several bases in 2013 in an effort to fight obesity and improve overall fitness. Hell, even former NSA director Michael Hayden stated plainly in April 2014 that “we kill people based on metadata.” When, then wouldn’t our enemies?

When reached by Task & Purpose, Pentagon spokesman Maj. Audricia Harris said that annual DoD OPSEC training “recommends limiting public profiles on the internet, including personal social media accounts,” and that the Pentagon’s current OPSEC requirements “provide further guidance for military personnel supporting operations around the world.” Apparently, other GPS-enabled devices are not a major part of that conversation, a major problem given the growing ecosystem of consumer software that track your every move. And while a 2016 Marine Corps guidance explicitly states that Bluetooth and GPS-enabled personal fitness devices are only prohibited at facilities if they utilize “cellular or Wi-Fi, photographic, video capture/recording, microphone, or audio recording capabilities,” that conversation clearly needs to happen again.

But despite the existence of this backdoor into U.S. military locations, the Pentagon appears set on using the Strava debacle to take a long, hard look at its current OPSEC environment. Officials announced on Jan. 29 that the Pentagon would conduct a review of wearable electronic devices and smartphones, although they did not provide any specifics on the scope and duration of the review.

“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Harris told Task & Purpose. “DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.”

U.S. Army/ Staff Sgt. Jacob Connor

Members of 5th Special Forces Group (A) conducting 50. Cal Weapons training during counter ISIS operations at Al Tanf Garrison in southern Syria.

“Operational security and force protection requires constant vigilance,” Pentagon spokesman Col. Rob Manning told reporters during a press briefing on Jan. 29. “Secretary Mattis has been very clear about not highlighting our abilities to aid the enemy or give the enemy any advantage. That would be our approach going in on this as well.”

In the meantime, Strava has a better suggestion for U.S. military personnel: Take five seconds and just opt out of sharing your data with us!

“We are committed to helping people better understand our settings to give them control over what they share,” the company told The Guardian in a statement on Jan. 29. “We take the safety of our community seriously and are committed to working with military and government officials to address sensitive areas that might appear.”

Task & Purpose Senior Pentagon correspondent Jeff Schogol contributed reporting.

WATCH NEXT:

Want to read more from Task & Purpose? Sign up for our daily newsletter »

It has been a deadly year for Green Berets, with every active-duty Special Forces Group losing a valued soldier in Afghanistan or Syria.

A total of 12 members of the Army special operations forces community have died in 2019, according to U.S. Army Special Operations Command. All but one of those soldiers were killed in combat.

In Afghanistan, Army special operators account for 10 of the 17 U.S. troops killed so far this year. Eight of the fallen were Green Berets. Of the other two soldiers, one was attached to the 10th Special Forces Group and the other was a Ranger.

Read More Show Less

WASHINGTON (Reuters) - Documents from the Pentagon show that "far more taxpayer funds" were spent by the U.S. military on overnight stays at a Trump resort in Scotland than previously known, two Democratic lawmakers said on Wednesday, as they demanded more evidence from the Defense Department as part of their investigation.

In a letter to Defense Secretary Mark Esper, the heads of the House of Representatives Oversight Committee and one of it subcommittees said that while initial reports indicated that only one U.S. military crew had stayed at President Donald Trump's Turnberry resort southeast of Glasgow, the Pentagon had now turned over data indicating "more than three dozen separate stays" since Trump moved into the White House.

Read More Show Less
Sigourney Weaver as Ellen Ripley from 1979's 'Alien' (20th Century Fox)

Editor's Note: This article by Gina Harkins originally appeared on Military.com, a leading source of news for the military and veteran community.

QUANTICO, Va. -- Marines who spend much of their day lifting hefty ammunition or moving pallets full of gear could soon get a helping hand.

The Marine Corps is close to signing a deal to test an exoskeleton prototype that can help a single person move as much as several leathernecks combined.

Read More Show Less
NEC Corp.'s machine with propellers hovers at the company's facility in Abiko near Tokyo, Monday, Aug. 5, 2019. The Japanese electronics maker showed a "flying car," a large drone-like machine with four propellers that hovered steadily for about a minute. (Associated Press/Koji Sasahara

'Agility Prime' sounds like a revolutionary new video streaming service, or a parkour-themed workout regimen, or Transformers-inspired niche porno venture.

But no, it's the name of the Air Force's nascent effort to replace the V-22 Osprey with a militarized flying car — and it's set to take off sooner than you think.

Read More Show Less
In this March 12, 2016, file photo, Marines of the U.S., left, and South Korea, wearing blue headbands on their helmets, take positions after landing on a beach during the joint military combined amphibious exercise, called Ssangyong, part of the Key Resolve and Foal Eagle military exercises, in Pohang, South Korea. (Associated Press/Yonhap/Kim Jun-bum)

Task & Purpose is looking for a dynamic social media editor to join our team.

Our ideal candidate is an enthusiastic self-starter who can handle a variety of tasks without breaking a sweat. He or she will own our brand's social coverage while working full-time alongside our team of journalists and video producers, posting to Facebook, Twitter, Instagram (feed, stories, and IGTV), YouTube, and elsewhere.

Read More Show Less