Polar fitness app broadcasted sensitive data of intelligence and military personnel

The Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel.

A new privacy incident involved Fitness application and military. this time the Mobile fitness app Polar has suspended its location tracking feature due to the leakage of sensitive data on military and intelligence personnel from 69 countries.

This is the second incident in a few months, in January experts discovered that military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases.

During the weekend, Dutch security experts revealed they were able to find data on some 6,000 individuals including military personnel from dozens of countries and FBI and National Security Agency personnel.

According to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent, the fitness devices were leaking data belonging to the military or intelligence officials who could be exploited by a threat actors to spy on them.

“With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning,” explained the security researcher Foeke Postma that investigated the case with the Dutch news outlet De Correspondent.

“We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.”

The experts discovered detailed personal information, including home addresses, of military personnel, persons serving on submarines, Americans in the Green Zone in Baghdad and Russian soldiers in Crimea.

The exposure of such data poses serious risks to the military personnel as reported in a post published by Defensenews.com.

“Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information.” reads the blog post published by Defensenews.com.

“They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.”

In response to the privacy incident, Polar has disabled the feature that allowed users to share data and pointed out that any data made public was the result of users who opted in to location tracking.

The company has already implemented a number of measures to mitigate the exposure of its users along with the suspension for the Flow Explore feature until further notice.

The location tracking feature allows thousands of athletes daily all over the world to share and data related to their training sessions.

“If there hasn’t been a data breach, why have you suspended the Explore feature?

While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations were appearing in public data, and have made the decision to suspend the Explore until further notice.” reads the statement published by Polar.

“I have seen statements that suggest that Polar leaked data – Did Polar leak any data?Contrary to what has been reported—it’s important to clarify that Polar has not leaked any data. Furthermore, there has been no breach of private data.”

De Correspondent investigation revealed that only about two percent of Polar users chose to share their data, but journalists and experts were able to collect sensitive data from military or civilian personnel.

“We found the names and addresses of personnel at military bases including Guantanamo Bay in Cuba, Arbil in Iraq, Gao in Mali, and bases in Afghanistan, Saudi Arabia, Qatar, Chad, and South Korea,” states the De Correspondent report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Polar, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]