Fitness app Polar Flow reveals home addresses of soldiers, spies

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Polar Flow can reveal sensitive information about the lives of users, including intelligence agents, embassy workers, military men and women, workers at nuclear weapons storage sites, and so on.

Polar Flow privacy fail

What is Polar Flow?

Polar Flow is an app and web service that is used in conjunction with a variety of fitness trackers by Finnish company Polar.

It allows users to track their fitness and sleep activity, analyze their progress, set fitness targets and get guidance, and connect with other fitness enthusiasts.

It offers a number of features, including “Explore”, a way to discover new routes by browsing a map and see public training sessions that other users have shared.

Unfortunately, this feature also allows anyone to find sensitive details about military personnel, intelligence operatives, and any other user.

The research

By analyzing public training sessions near military bases and airfields, nuclear weapons storage sites, and embassies, and other training sessions made by the same users around the word, investigative outfit Bellingcat and Dutch news site De Correspondent have identified 6,460 individuals who have tracked their sports activities at or near sensitive locations.

“By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised. As people tend to turn their fitness trackers on/off when leaving or entering their homes, they unwittingly mark their houses on the map,” Bellingcat researcher Foeke Postma explained.

By perusing the Polar Flow user activity map, using information provided by the users themselves in their profile (photo, name, city) and combining it with other information that can be found on the Internet, the researchers identified military and intelligence personnel by name and discovered where they live.

“We found the names and addresses of personnel at military bases including Guantánamo Bay in Cuba, Erbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea. We also learned the names and addresses of personnel at nuclear storage facilities, maximum security prisons, military airports where nuclear weapons are stored, and drone bases,” the De Correspondent reporters noted.

They’ve also identified personnel at intelligence agencies in the US, UK, France, the Netherlands, and Russia.

The researchers have also probed other fitness tracking apps like Endomondo, Runkeeper and Strava (which was earlier this year found revealing patterns of life in military bases and secret sites).

Polar’s reaction

The researchers shared their research with national defense departments around the world, intelligence agencies, Polar and other app makers. They allowed for enough time for all of them to fix the existing problem before they went public with it.

Polar ultimately decided to disable the map on its website, preventing others from recreating this research. The company also pointed out that the default setting on users’ accounts is to keep all workouts private, so the users decided to share their activity. But these default settings were only introduced in August 2017.

The researchers noted that it’s harder to identify people and find their home addresses via the other apps, but that they managed to do it.

“In contrast to Polar’s app, there is no indication that people whose profiles are set to private can also be identified in these apps,” they added.

Using fitness apps securely

“Fitness devices and apps are just one more area where people need to be aware of what kind of data they are sharing, particularly as they strongly rely on sensitive data such as location and health-metrics,” Postma noted.

“As always, check your app-permissions, try to anonymize your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door.”

De Correspondent also provided how-to-guides for securing data collected through the Polar, Endomondo, Runkeeper, Runtastic, and Strava apps.