Polar fitness app exposed location of soldiers and government agents
It was potentially worse than StravaBy Rob Thubron
What just happened? Another fitness company was found to be indirectly revealing the locations of personnel working for military and intelligence services. Finnish firm Polar has now suspended its global activity map after an investigation by Dutch news site De Correspondent and Bellingcat exposed the security issues.
Polar's line of smart devices are able to connect to the company's fitness app, Polar Flow, where users can record their activities and routes on a publicly viewable 'Explore' map. The security concerns arose from the fact that anyone could use the map to find sensitive installations and see if any users' workouts end at these locations. Many runners give their real names and profile pictures on the app, allowing someone to gather a slew of information on soldiers or government agents who use Polar fitness trackers.
This isn't the first time a tracking app has come under fire for potentially revealing military bases and staff routines. Back in January, Strava changed its privacy settings after its heatmap was found to be exposing data on personnel stationed in bases around the world. But while Strava's information was only accessible via a user's profile page, Polar allowed you to select an interesting site, pick one of the profiles exercising there, and get a full workout history (going back to 2014) of that person.
De Correspondent identified over 6400 users exercising at sensitive locations, including the NSA, the White House, MI6, Guantanamo Bay, and foreign military bases.
Even users who marked their profiles as private weren't safe from prying eyes. A flaw in the app allowed reporters to gather their data, and the API didn't cap the number of requests that someone could make, thereby allowing them "to determine their home address, where people's workouts often begin and end."
Polar has apologized and suspended the Explore feature in the Flow app. It added that there had been no breach of private data and that it is now "analyzing the best options that will allow Polar customers to continue using the Explore feature while taking additional measures to remind customers to avoid publicly sharing GPS files of sensitive locations." You can read the company's full statement here.