Fitness apps are developed to track daily activity, record training patterns and key locations, as well as user profiles with sensitive, identifying information. While they are extremely popular among athletes, they have countless flaws, and some of them could even prove deadly. On this note, if anyone thought Strava was a flop by exposing users’ location, Polar digital activity tracker is far worse.
Dutch publication De Correspondent together with digital forensics experts raised concerns that Polar Flow exposes high-risk groups of soldiers on secret missions, as well as data related to their personal lives, such as names of family members and home addresses.
“We found this information not through hacking or some other technological wizardry, but through a little clever searching in the online map that Polar makes available to anyone with an account,” reads the article. “That map displays every run, bike ride, and swim its users have logged since 2014. Anyone with a basic understanding of computers and some common sense can find this information.”
The popular fitness tracker is risky because it is also used by military personnel whose locations should remain concealed. Researchers found the app’s Explore tracking feature can easily leak user names, profiles pictures and location information of 6,400 high-level personnel from 69 countries, intelligence officers included.
The flaw exposed officers from the NSA and US Secret Service, the UK’s GCHQ and MI6, Russia’s GRU and SVR RF, France’s DGSE, and the MIVD in the Netherlands. It was easy to find out the names and addresses of officers working at military bases such as Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad and South Korea; as well as personnel in nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases.
Polar released a statement claiming no data was actually leaked, but they did turn off the feature following the report. The company says users can opt out of the sharing feature at any time, as the activity is initially set to private by default.
“It is important to understand that Polar has not leaked any data, and there has been no breach of private data,” reads their statement. “Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case. While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”
tags
After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats.
View all postsNovember 14, 2024
September 06, 2024