Strava is a fitness app. So, apprently, the security detachment of political figures tends to use the app, presumably because they're into fitness and keep in shape, and their location can be tracked through the app.
As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.
The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.
More specifically, it's a social network for sharing workout data. Sharing data is like, first and foremost what it's about. It has the same privacy controls you'd expect of social networks (public/friends/private both globally and per post/activity) as well as some that are special to a location-sharing app (hidden addresses).
This was either a gap in social media policy set for the guards, or a violation of that policy on the part of the guards.
Yeah, the targetting isn't that difficult, I guess. If you know crown prince Akeem Joffer was in New York 5 days ago, and is in Paris 3 days ago, you can probably diligently query Strava users who weren't in New York for a long time but showed up 5 days ago, and see if they showed up in Paris 3 days ago, and boom, you've found a member of his entourage.
Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.
Cell phone tracking is better at surveillance than the best stuff the military has.
https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.
And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.
An old coworker used to work on what is basically a Stingray for air platforms with some sort of directional finding capability. Presumably, you'd strap it to a drone and fly it over villages where you suspect bad guys are. Do this every few days and in multiple locations and you'd establish patterns of movements and links between networks of people.
For anyone else struggling to understand this initially, they were able to tell the flight path of the attack helicopter as it evaded detection by looking at the historic path of a phone of a person that was on the helicopter.
It wasn’t a helicopter spoofing itself as a phone or something crazy like that.
Probably not better than the best stuff the military has... Still really good, mind.
And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.
The simplest solution to this is bureaucratic. Establish an app approval cybersecurity office within some agency and have the office make two lists: apps that have specific security configurations that need to be enabled and apps that are outright banned.
Then you just make compliance with the lists necessary for certain security clearances.
This is why I only use Strava to share with my followers.
Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.
Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.
I wouldn’t trust their security restrictions. Their API and authentication is primitive. For a while I ran a basic bot to automate data extraction. Their security is 20+ years behind other social networks .
You likely have bot followers and API calls that can read your latest activity GPX data
It's not clear to me whether the location was made using the public, as in shared, information, or information set as private. So did they masquerade as followers, or hacked the system?
This kind of attitude is why we get such bad IoT security.
Everyone deserves privacy - just like with Facebook, a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.
Strava has suffered from this and had known attacks for 10+ years now. There was a famous case around Colorado of a mistaken doxxing attack driven by Reddit. Due to mistaken identity, attackers pursued an innocent victim using their Strava account. The Strava location was the cause of both the mistaken identity case and abused to find and dox the victim.
Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
The company has never adequately responded to privacy concerns despite many abuse cases.
> Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.
People should just stop using Strava, or at least stop making their Strava data public to the world (not sure if that's an option cause I've never used that app). They should just run/cycle, whatever, forget about gps.
Readit News
As the security detachment tend to travel with the people they protect, political leaders locations can be inferred.
The article talks about body guards not being allowed to use social media/apps while on the job, they allow for provisions on use when not on active duty. So, I guess, the guards get a day off, use the app, wherever they are, broadcasting their location.
Crazy stuff.
https://www.theguardian.com/world/2018/jan/28/fitness-tracki...
This was either a gap in social media policy set for the guards, or a violation of that policy on the part of the guards.
Even if they use the anonymizing feature that masks their start/end points, if you find a few other members, you could be able to triangulate a big hotel near them and guess that that's where the crown prince stayed... and the next time you hear he's coming to NY/Paris, you have this information.
https://www.washingtonpost.com/national-security/2024/02/22/... has a fun story about a time at Fort Irwin (US Army laser tag in the desert) one side couldn't figure out how an attack helicopter got through their defenses, until they did some queries on a commercial cell phone tracking database and found the cellphone moving across the desert at 120mph. Hole identified, plugged for the next round.
And also talks about how the Ukrainians and Russians are having a great deal of trouble with cell phone OPSEC even after years of shooting war.
Seeing through walls with WiFi is better. Or slurping up the main pipes and decrypting it. Which they also have.
It wasn’t a helicopter spoofing itself as a phone or something crazy like that.
And, yeah, unintended uses are usually prime locations for security breaches. For a long time (maybe still?) metadata on pictures that people post would reveal far more than people meant. Thumbnails of cropped pictures, even.
Military tech is always a decade ahead of civilian, that's why the US has easily won every armed conflict they've entered into in the past 50 years
Strava heatmap can be used to locate military bases - https://news.ycombinator.com/item?id=16249955 - Jan 2018 (271 comments)
Turns out soldiers enjoy tracking their runs around the base!
Then you just make compliance with the lists necessary for certain security clearances.
- apps that are allowed to be installed, pinned by version with a person responsible for monitoring them
Yes, it's an extra step after my workout to edit, add pics if any, choose my activity level if I was too lazy to put on my HR monitor, and then only post to my followers.
Yes, this means I get less likes and can't participate in challenges etc. But it's really about sharing with my colleagues and friends so they can motivate me for my next ride.
You likely have bot followers and API calls that can read your latest activity GPX data
You travel with one of the most powerful people in the world?
Everyone deserves privacy - just like with Facebook, a bad actor watching your profile could infer your movements on Strava (or lack thereof) and use that to break into your home or steal your ride.
Strava’s anonymization algorithm (the bubble feature) is primitive and trivially de-anonymized with basic triangulation.
The company has never adequately responded to privacy concerns despite many abuse cases.
That is not true. It picks a single random centroid near your privacy location and does the privacy feature based on that. Triangulation finds the random centroid, which is crucially not your hidden location.
You can make your account private, or individual activities private (including by default).