Did a fitness app expose the identities of SAS operators?

A fitness app might have been responsible for exposing the identities of numerous British Special Air Service (SAS) operators.

According to Nick Waters, a former British Army officer and open source analyst with Bellingcat, the fitness app Strava can be manipulated into revealing the identities of Special Operations personnel.

Waters identified the security lapse during an experiment. The former infantry officer described how he managed to find out the identities. “I made up my own training session,” he said. “And convinced Strava that I had run a certain distance in a certain time inside the base [he was referring to the Hereford base where the Special Air Service is headquartered]. The app then started giving me the names and Facebook profiles of people who had actually run the same route. I started freaking out a bit because I knew this was the kind of information, I probably shouldn’t have access to. So I turned it off. It shows how social media is an incredibly powerful monitoring tool and it can be used by anyone to access personal information.”

Although Personal Security (PERSEC) concerns are often exaggerated — even in most Special Operations units — operators who are serving at the tip of the spear, that is Tier 1 units such as the SAS, Delta Force, SEAL Team 6, are considered a national level asset and thus their identities must remain secret.

Waters, who is the senior investigator at Bellingcat, added three lines of code to the app and was then able to fabricate a run in the SAS compound. The fitness app, then, started sharing the run dates and times of people who had run the same route. Using the same approach, Waters was able to pinpoint Special Operations bases in Syria and Africa.

Strava is an application that allows a person to track his mileage while running, cycling, or rucking to better monitor his workout. To ensure accuracy, Strava utilizes the Global Positioning System (GPS). The app boasts over 50 million users across the world.

Granted, some of the names he uncovered might very well be support personnel attached to the SAS or other SOF units but that would still be a security breach.

Following Water’s revelations, Strava released a statement saying that “the safety and privacy of our athletes is our highest priority. We’ve long had a suite of privacy tools that give members control over what they share. We’ve improved these self-service features to make them even simpler and more transparent and encourage members of the Armed Forces using Strava to follow the policies of their military branch.”

What’s the moral of the story? Stop using apps to track your workouts. A stopwatch is more than enough for experienced runners or ruckers, who can calculate their pace based on the level of perceived exertion.