Fitness device maker Polar Flow suspended an Explore tracking feature on its mobile app after researchers discovered profile and geolocation data of high-ranking military personnel and “spies” that were being exposed to the public on its network.
In a report released by Dutch publication De Correspondent and digital forensics researchers on Sunday, authors said it was possible to exploit Polar Flow’s Explore function to discover the locations of secret military sites and the names and home addresses of high-ranking military personnel, extracted from data made available via the application’s API.
Polar stresses no private data was “leaked” and in a precautionary move it has turned off the Explore function of its app as of July 6.
Researchers claim Polar Flow exposed the users’ full names, profile pictures and geolocation data of 6,400 users that included “spies” and military personnel across 69 nationalities.
“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name,” wrote Foeke Postma, a researcher with investigative site Bellingcat who assisted De Correspondent in the report.
The incident comes six months after separate researchers found similar oversharing issues with the Strava fitness app. Also, in that case, military personnel were unintentionally exposing the classified locations and routes of soldiers.
Polar, a Finnish-based fitness tracking giant with offices in New York, released a statement on the incident.
“It is important to understand that Polar has not leaked any data, and there has been no breach of private data. Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” Polar wrote.
“While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API,” Polar continued.
The company said it apologized for the inconvenience to other users who took advantage of the Explore feature. The company said it would soon share an update with customers on how it will handle the tracking feature in the future.
“In its current form, it is not difficult to find the time of deployment, home, photograph, and the function of a soldier in a conflict zone,” researchers wrote. “It does not take much imagination to see how this information could be used in dangerous ways by extremists or state intelligence services. This is especially concerning considering the data we managed to gather on personnel at multiple nuclear weapons storage sites.”
Postma points out that even Polar Flow users using the Explore function with the most restrictive privacy settings were still exposing old data: “Changing the privacy of sessions, even to the most strict, only affects new sessions. Older sessions will remain visible,” he wrote.
In January, after the Strava oversharing data issue came to head, the U.S. military updated its guidelines for the use of all wireless and technological devices (including fitness trackers) on military facilities.
“We will not divulge specific tactics, techniques and procedures. However, we have confidence in our commanders’ abilities to enforce established policies that enhance force protection and operational security with the least impact to our personnel,” the U.S. Military Central Command press office in Kuwait told The Chicago Tribune at the time.
“Fitness devices and apps are just one more area where people need to be aware of what kind of data they are sharing, particularly as they strongly rely on sensitive data such as location and health-metrics,” wrote the researcher. “As always, check your app-permissions, try to anonymize your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door.”