Want to send your location to ISIS? There’s an app for that.

Fitness trackers are OPSEC risks today, as IoT devices will be tomorrow

This past Saturday, one Middle East analyst discovered that U.S. troops had been recording their run routes while deployed to Iraq and Syria using fitness trackers such as FitBits and Apple Watches – then unwittingly uploading them to a fitness website known as Strava, where they could be observed. And as some observers have discovered, the data can be attributed to individual users, including 50 individual U.S. troops in Afghanistan.

The discovery has sent Pentagon leaders into panic mode, as U.S. Central Command and even Secretary of Defense James Mattis have been briefed on the discovery. But is this a huge concern from an operational security perspective?


When I deployed to Iraq in 2008, personal cell phones were off limits for troops. Of course, ten years is a long time in the tech world. I could go without my Blackberry, and most of my troops could put away their Motorola RAZRs for a year. Only a handful of soldiers had an iPhone – barely a year old at the time.

Today, smartphones are integral to our lives. They’re our camera, our music collection, even our wallet. Armed with Bluetooth technology and embedded GPS, smart devices collect an inordinate amount of data on us throughout the day, as do our web browsers and social media applications. We no longer just take photographs – we take “smart photos” loaded with metadata including GPS coordinates. Smart phones and fitness trackers record our steps and our heartbeats thousands of times every day, sometimes storing that data locally or occasionally uploading it to The Cloud.

Full disclosure – I’m an unabashed user of a fitness application known as Runmeter, which has recorded nearly six years’ worth of information on my daily runs including precise routing, pace, weather conditions, and even my heartbeat. I’m not alone when it comes to fitness trackers, either.  An observer noted during a recent session with nearly 20 junior U.S. Army soldiers that every single one wore a smart watch or fitness tracker.

My fitness tracker encourages me to work out, and I find that announcing my workouts to my Facebook and Twitter friends is a way to keep me accountable – my friends notice when I’m not working out and occasionally heckle me when I do work out.

But observers were shocked to see what Strava, a popular fitness application, did with its users’ personal data, posting precise run locations online, even to the point where one could track an individual user’s pace and pulse. Americans in general have strange and often contradictory attitudes towards privacy: we would balk if a doctor leaked our personal health data, but think nothing about recording our sleep patterns, vital signs, and even intimate details about our reproductive health in the memory banks of our smartphones.

For now, it doesn’t look as if Strava divulged operational details that weren’t already obvious.  It’s no secret that service members at Fort Bragg – “Home of the Airborne and Special Operations Forces” – run up and down Ardennes Road five times a week. Nor is it particularly shocking that U.S. troops have bases at Kobane and Tanf in Syria – both have been publicly acknowledged by the Pentagon and their locations are undoubtedly known to every warring faction in the region.

What is concerning, however, is what comes next. Geolocation features are becoming increasingly common in everyday devices, and search engines are becoming more adept at sorting through geotagged photographs. Witness the sheer number of geotagged photographs uploaded to services like Google Earth, with documented photographs from nearly every location on the planet – not to mention countless geotagged photographs which exist in Cloud storage services like iCloud. Add to this the fact that by 2020, over 20 billion devices are expected to be connected to the “Internet of Things.” Fitness trackers may be a security threat today, while smart vacuum cleaners and refrigerators may be a threat tomorrow.

Strava heatmap of Sarrin air base, Syria
A screenshot of a Strava heatmap of Sarrin air base, south of Kobane, Syria. The base itself is not visible the underlying satellite images. Image: Strava

As the Defense Department takes steps to bolster cybersecurity, elite hacking groups have turned their attention to personal email accounts and other such devices. The Russian-linked hacking group Fancy Bear targeted the personal Gmail accounts of over 300 Americans in the field of national security – with nearly 40 percent of those targeted clicking on malicious links. The Russians have continued their efforts to target personal devices, targeting the smartphones of NATO service members on exercise in Eastern Europe.

Nearly every service member and government official uses commercial email, social media, and personal electronic devices – from frontline troops to senior government officials. Though much is made about critical defense infrastructure, few think to safeguard the treasure trove of information troops carry around in their pockets.

Perhaps it’s time we did.

Crispin Burke is a U.S. Army officer. His views are his own and not those of the DOD. Follow him on Twitter at @crispinburke where you can also heckle his Runmeter feed.

All views and opinions expressed in this article are those of the author, and do not necessarily reflect the opinions or positions of The Defense Post.

The Defense Post aims to publish a wide range of high-quality opinion and analysis from a diverse array of people – do you want to send us yours? Click here to submit an Op-Ed.


Related Articles

1 thought on “Want to send your location to ISIS? There’s an app for that.”

Leave a Reply

Your email address will not be published. Required fields are marked *