The company froze the action of the service only after the appeal of journalists who learned about the loophole.
Fitness application Polar Flow of the Finnish company Polar because of the loophole in the privacy settings could identify the names, addresses and activities of thousands of users who work in intelligence services and military facilities, accordingto a joint investigation of the team Bellingcat and the Dutch edition of De Correspondent.
Several “clever” products of the Finnish company, including smart phones, watches, scales and fitness bracelets, are connected to the Polar Flow service via GPS. Devices can be synchronized to collect activity and other data in a personal account. The results can be added to the global map Explore, which acts as a social platform.
Polar insisted that any user has the right to mark his profile as confidential – and thus not transfer data to third-party applications such as Facebook. However, profiles often appear photos, even if their owners did not connect Polar with Facebook, journalists noted.
The loophole in the application allowed authors of the investigation to find names, addresses, medical data, routes, as well as dates and other details of the training of servicemen and scouts around the world.
With the help of information on the Polar Explore map, journalists collected a list of 6460 users who work near “especially important” areas – secret sites, military bases, intelligence offices and potentially dangerous places.
Usually journalists entered coordinates of military bases or various departments on the map of Polar Explore, after which they searched for routes from these places. The final points were most often the home address of the user or the hotel where he lives. Missing data like the exact number of the building could be found through open sources. It also turned out that many servicemen use real names or nicknames in the fitness application, distinctly similar to the real name.
The investigation says that Polar Explore tracks the activity of each user since 2014, sharing information every time the tracker is turned on.
Therefore, those who wanted to track the employee of the secret object, you just had to find this object on the map, and then choose an exercise and study the profile of one of the users.
Bellingcat and De Correspondent did not publish accurate data on any of the servicemen, but resulted in a list of “findings” – those who were tracked using a fitness application. Among them:
- Russian servicemen in the Crimea;
- Servicemen at facilities where nuclear weapons are stored;
- Employees of intelligence agencies, embassies;
- People working for the FBI, NSA and NASA;
- Servicemen who specialize in cyber security and missile defense;
- Employees on submarines and underwater bases;
- Employees of nuclear power plants;
- Americans in the “green zone” of Baghdad, where the government facilities are located;
- Guantanamo Prison staff;
- Troops near the border with the DPRK;
- Pilots participating in raids on the objects of the “Islamic state”.
Journalists previously told about the results of the investigation to representatives of Polar. After that, the company apologized on its official website and stated that it had suspended the Explore API. Polar also rejected the fact of data leakage.
Polar is not the only company that has faced security problems due to fitness trackers. However, in the case of Strava, the scandal around which unfolded in early 2018, the journalists found only the geolocation of military bases. Applications like Strava and Garmin, unlike Polar, open each workout on a separate map and limit the number of classes available for viewing. Virtually all sessions of Polar Explore users around the world were displayed on one card.