Security Bits Logo

Security Bits – Spectre/Meltdown Update, Strava Heat Maps

Followup — Spectre & Meltdown News

Security Medium — Strava Heatmaps have Unintended Consequences

The popular exercise tracking app Strava regularly produces a really cool heat-map that shows where most people run, cycle, swim etc.. The data is anonymised, so it all seems like some innocent fun. The latest version of the heatmap was published back in November, and no one thought it was a problem.

That all changed this week when an Australian security researcher noticed that there are some places where anonymisation doesn’t work like you might expect because of strong selection effects.

The most dangerous of these effects is tracks in areas where the majority of users are US military personnel. In NYC you can’t tell which of the millions of tracks is by soldiers, but in rural Afghanistan, you effectively can, because the locals are not big Strava users, so just about every track is US milliary personel! Just imagine how useful that heat map is to terrorists planning attacks!

Sharing of anonymised data is the default in Strava, but it’s not required to use the app. There is a private mode, and private data is not included in the heatmaps. Having said that, Strava have promised to simplify their privacy settings so users can more easily understand what they are and are not sharing.

IMO there are two leasons to be taken from all this:

  1. Vulnerable users in dangerous places need to use the privacy features provided, and the organisations that put them in harm’s way need to help them understand the risks and the actions they need to take to mitigate them.
  2. Companies releasing data need to be more aware of selection effects which can make seemingly anonymous data anything but. That means being more selective about what gets released — parts of a dataset that are very sparse should be redacted. If Strava had only published heatmaps in countries with a lot of Strava users this would have been much less of a problem.

Links

Notable Security Updates

  • Apple released security updates for macOS (El Capitan, Sierra & High Sierra), iOS, watchOS, tvOS & Safari — www.us-cert.gov/…
    • As mentioned above, this includes Meltdown patches for El Capitan & Sierra, and further mitigations for High Sierra
    • The updates include fixes for the ChaiOS iMessage flaw we mentioned last time — www.macobserver.com/…

Notable News

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top