Strava heatmap exposes sensitive military bases invokes the law of unintended consequences.

Issue
Something as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users.  The Guardian newspaper used a script to generate GPS data to upload to a Strava account.  Following this, they used the application to find other users that also do the same run.  The runs matched sensitive locations such as military installations and classified government facilities.  They identified 50 users by name.

With so many interconnecting devices, where is the boundary of your data?  If you don’t know where your data is, and where it goes, you cannot secure it.  With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.

Impact
The impact from the Strava heatmap to InGuardians customers is relatively low.  The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.

Recommendations
InGuardians primary recommendation is to analyze the potential exfiltration threats that applications pose, and create a policy to deal with these accordingly.  Some examples of applications and policies in this arena would be social media use policy, on-site photography or mobile phone use, or modifying the metadata.

InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization.  Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical.  Unknown, unmanaged devices should not be allowed on your network.  The larger concern goes beyond “Strava” and may include data that is gathered but not publicly mapped.

Additional Resources

Strava Heatmap and related articles

https://labs.strava.com/heatmap/#6.00/34.08716/29.07362/hot/all

https://www.washingtonpost.com/news/the-switch/wp/2018/01/31/lawmakers-demand-answers-about-strava-heat-map-revealing-military-sites/?utm_term=.7e78368ca5af

https://www.engadget.com/2018/02/02/strava-s-fitness-heatmaps-are-a-potential-catastrophe/

Metadata

https://support.office.com/en-us/article/Remove-hidden-data-and-personal-information-by-inspecting-documents-356b7b5d-77af-44fe-a07f-9aa4d085966f#ID0EAACAAA=PowerPoint