Strava’s heatmap inadvertently reveals the world’s military secrets

If you happen to be a soldier stationed at one of the world’s military bases, secret operation centres or covert patrols, you may want to switch off your phone’s GPS and consider uninstalling all fitness apps, including Strava.

Like, stat.

In November 2017, “social network for athletes” Strava published a detailed heatmap of the world’s most popular training routes — be it running, cycling or even kitesurfing — that its users frequent.

The data contained within the map was beyond deep.

Some three-trillion GPS points were logged, containing more than 10 terabytes of data in total. This amounted to more than a combined 27-billion kilometes in distance covered across nearly 5% of the Earth’s surface.

The information was garnered through the app, which can be installed on fitness watches, smartphones and other IoT devices.

Its route information so detailed, that you could easily use it to navigate a city. But that’s not all it can be used for.

All this data has inadvertently revealed some of the planet’s most secretive and tactical military operations.

Spotted by Twitter user Nathan Ruser over the weekend, the map seemingly tracks soldiers training in some of the more remote regions of the planet, including Afghanistan’s Helmand Province, the middle of Yemen, the Incirlik Air Base in Turkey, and even Area 51 in Nevada.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

And because of these areas’ lack of population, it could only point to military activity.

“If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous,” Ruser tweets.

Military personnel’s fitness activity across the world can be viewed on Strava’s detailed heatmap, you just need to know where to look

Users spent much of the weekend perusing the map, picking out these bases, to the likely annoyance of world military chiefs.

So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses): pic.twitter.com/wHItJwYUUI

— Tobias Schneider (@tobiaschneider) January 27, 2018

You can literally spend less than a minute on Stravas new data service and find sensitive sites. Nice patriot position you have there pic.twitter.com/eYS8TOuT0F

— Lost Weapons (@LostWeapons) January 27, 2018

Patrol on the Korean DMZ. You can pretty much perfectly make out the route they take on snowy sat images pic.twitter.com/WyVJXeKiBl

— Lost Weapons (@LostWeapons) January 28, 2018

Rather interested to see what these two circles of activity are on the Strava map, seemingly in the middle of nowhere, Yemen https://t.co/xayZs30PkN pic.twitter.com/xLpWly9D0A

— Eliot Higgins (@EliotHiggins) January 27, 2018

Cross-referencing @mjranum‘s recent post about using Google Maps to identify CIA “Black” sites in Djibouti, with the #Strava heat-map, appears to offer corroboration https://t.co/PfXDqRIvSS pic.twitter.com/GlxWOoKWcj

— Alec Muffett (@AlecMuffett) January 28, 2018

I don’t know who in the @39thAirBaseWing is running laps among the nuclear weapons at Incirlik AB with @Strava on his/her smartphone or IOT wearable … but please stop. (Also, lets take the weapons out.) pic.twitter.com/T7XZytNPJx

— Jeffrey Lewis (@ArmsControlWonk) January 28, 2018

While Strava employees probably didn’t foresee the firestorm it was unleashed on the planet’s infosec network, the map is massively problematic for a number of reasons.

Not only does it reveal a slew of formerly unknown-to-the-public military bases and operations, it also alerts hostiles to forces’ locations. Additionally, thanks to location data, common routes are now known and can be exploited.

Notably, Strava shouldn’t be pelted for revealing this information, rather those who use the app should be more cautious when using its GPS logging features. It can be disabled too, which makes this heatmap all the more puzzling.

And this is just information garnered by Strava — a single fitness app. What if the likes of Garmin, Fitbit, Google or even Apple were to release heatmaps of their users’ location data?

The map is still available for the public to peruse, but somehow we’re probably not the only ones studying the map at this point in time.

Feature image: screenshot of South Africa via Strava heatmap