Fitness app Polar even better at revealing secrets than Strava

'I spent a year hiding in shrubs, and they just … publish their daily runs'

+Comment Online investigations outfit Bellingcat has found that fitness tracking kit-maker Polar reveals both the identity and daily activity of its users - including soldiers and spies.

Many users of Polar's devices and app appear not to have paid attention to their privacy settings, as a result a Bellingcat writer found 6,460 individuals from 69 countries. More than 200 of them left digital breadcrumbs around sensitive locations.

Bellingcat's report claimed the Polar Flow social-fitness site produces more compromising data than other fitness-trackers than previous leaks: “Compared to the similar services of Garmin and Strava, Polar publicizes more data per user in a more accessible way, with potentially disastrous results.“

“Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.”

Bellingcat notes that the big difference between Polar and Strava is that the former offers more comprehensive data, more easily, covering everything a user has uploaded to the platform since 2014.

Secure it, Hudson

US Pentagon scrambles after Strava base leaks. Here's a summary of the new rules: 'Secure that s***, Hudson!'


The investigation describes all sorts of interesting targets in the data: an officer whose air base hosts nuclear weapons; Western military personnel in Afghanistan; yet another officer whose profile carries his name, and whose location hosts drones. People exercising near their homes, and also near their workplaces – which happen to be intelligence agencies.

“We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such sensitive sites, and we gathered a list of nearly 6,500 unique users. Together, these users had made over 650,000 exercises, marking the places they work, live, and go on vacation,” Bellingcat's Foeke Postma wrote.

Polar told the publication it had updated its policy in August 2017 so accounts have more secure default settings, and the platform has blocked users from exploring its data while it investigates fixes.

Over the weekend, in response to the revelations, the Dutch Minister of Defence issued an edict that military personnel should remove fitness apps from their smartphones.

Running in circles

The Dutch response may well feel familiar because Shortly after Nathan Ruser of the Australian National University revealed the extent of the Strava leak in January this year, the Pentagon warned personnel to lock down their privacy settings.

The official response included an investigation in the US military, but such things proceed relatively slowly. Army Colonel Robert Manning III said at the time: “DoD personnel are advised to place strict privacy settings on wireless technologies and applications”

However, even if military and intelligence users had locked down their defaults after that warning, Bellingcat's Postma wrote that the platform still kept old data public until it stopped Internet passers-by browsing peoples' records.

Yes, people with sensitive jobs need to be careful with social technologies, but it seems to be an open question just how well people in general understand how much data leaks when they sign up for online services.

The US military is, after all, easily large enough to act as a proxy for the whole population, and people at scale aren't paying close attention to how their data leaks, until it stings them. ®

Similar topics

Other stories you might like

  • Behold this drone-dropping rifle with two-mile range
    Confuses rather than destroys unmanned aerials to better bring back intel, says Ukrainian designer

    What's said to be a Ukrainian-made long-range anti-drone rifle is one of the latest weapons to emerge from Russia's ongoing invasion of its neighbor.

    The Antidron KVS G-6 is manufactured by Kvertus Technology, in the western Ukraine region of Ivano-Frankivsk, whose capital of the same name has twice been subjected to Russian bombings during the war. Like other drone-dropping equipment, we're told it uses radio signals to interrupt control, remotely disabling them, and it reportedly has an impressive 3.5 km (2.17 miles) range.

    "We are not damaging the drone. With communication lost, it just loses coordination and doesn't know where to go. The drone lands where it is jammed, or can be carried away by the wind because it's uncontrollable,"  Kvertus' director of technology Yaroslav Filimonov said. Because the downed drones are unharmed, they give Ukrainian soldiers recovering them a wealth of potential intelligence, he added.  

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Beijing needs the ability to 'destroy' Starlink, say Chinese researchers
    Paper authors warn Elon Musk's 2,400 machines could be used offensively

    An egghead at the Beijing Institute of Tracking and Telecommunications, writing in a peer-reviewed domestic journal, has advocated for Chinese military capability to take out Starlink satellites on the grounds of national security.

    According to the South China Morning Post, lead author Ren Yuanzhen and colleagues advocated in Modern Defence Technology not only for China to develop anti-satellite capabilities, but also to have a surveillance system that could monitor and track all satellites in Starlink's constellation.

    "A combination of soft and hard kill methods should be adopted to make some Starlink satellites lose their functions and destroy the constellation's operating system," the Chinese boffins reportedly said, estimating that data transmission speeds of stealth fighter jets and US military drones could increase by a factor of 100 through a Musk machine connection.

    Continue reading

Biting the hand that feeds IT © 1998–2022