See the entire conversation

Fitness and social media company Strava releases activity heat map. Excellent for locating military bases (h/t to @Nrg8000). labs.strava.com/heatmap/#6.06/…
346 replies and sub-replies as of Mar 02 2020

Somebody forgot to turn off their Fitbit. Markers trace known military outposts, supply and patrol routes.
Worth browsing a bit. Three positions around the US outpost at Tanf:
My focus is on Syria, but obviously works all over. French military base Madama in Niger:
A lot of people are going to have to sit thru lectures come Monday morning.
So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses):
In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable colouring for Iranian bases.
Outside of Aden:
You can literally spend less than a minute on Stravas new data service and find sensitive sites. Nice patriot position you have there
Okay here is where things get problematic: Via Strava, using pre-set segments we can scrape location specific user data from basically public profiles (and yes those exist w/in bases and lead us straight so social media profile of service members).
It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users. #Strava
Not gonna post links or info but easy to very quickly ID a lot of people in very remote/sensitive places via this.
How many DMs are you getting from journalists asking for help in explaining this to their readers?
This is an opsec nightmare
is doing all they can to get this information out to our enemies.
You can see how tunnel entrances are connected at Cheyenne Mountain Complex because Strava attempts to draw a line between signal lost and reestablished :P labs.strava.com/heatmap/#19.00… and
Strava Global Heatmap
Over 1 billion activities, 13 trillion data points create the ultimate map of athlete playgrounds.
labs.strava.com
This is a far worse security risk than I thought
Yeah... It's pretty easy to ID individuals, their function, their regular running/biking routes in some very dangerous terrain.
‘ data if they decide to publish are the worst ever.
strava is going to get people killed
No... People letting themselves be tracked is going to get people killed you jackass
It isn’t Strava. It is people publishing their location in segments for the world to see. I use it but have a ‘secret’ place to ride that I never use Strava on. Obviously the folks in charge of security for these bases aren’t on Strava.
How automatic is the process of publishing segments? I mean - Does Strava do this automatically, or is it something you must invoke?
Segments are added by people but are also retroactive. So say you use Strava and no segments are on your route. Later someone else uses that route and adds a segment. Your past activity shows up. Really a cool feature as long as everyone understands what is happening.
Look at North Korea. It's interesting
I want to rt but don't think this should be spead around the world. If you are truly concerned and have means to bring this to someone in charge, you should tell them, NOT us!
I mean...oops
Excellent data source, thank you Tobias!!!
Ummm cc @DoD_CIO @NGA_GEOINT this thread above... This is a problem.
This is interesting but we're Twitter users the right people to inform? Wouldn't it have been better to tell the MoD?
What kind of 'heat' are they showing? People that use a fitness app on their Smartphones?
What's the huge one just to the NW of al-Salamiyah?
Idea of russian soldiers in Syria with fitness trackers is very funny. As usual with West media coverage what thought to be Russian positions turn to be something else...
On top, the low res sat layers of strava can be easily matched with recent google footage (FOB lightning, Afghanistan)
That’s a clever trick! Very cool.
Not sure any of these particular outposts were hidden to anyone on the ground around Mosul. All were staging bases at some point during the operation to retake the city.
Sure! I'm just skimming about a little. Makes identifying them easier for remote sensing.
This one is interesting to me, north and east of Kirkuk in what looks like the middle of nowhere.
Via a friend: February 2016
Huh. Thanks. All those cars in the parking lot makes me think maybe it’s industrial, not military. Maybe oil related.
Someone, somewhere, is using one of these at a clandestine compound in an otherwise dead electronic region and just burned their safe haven.
do you know if Strava input data is only opt-in? any third party app sending data to Strava?
Idea for US Military: Air-Drop 20K FitBits connected to Strava in North Korea and let their military show-off their new gadgets and 24h later we'll know all their military bases :)
No deberían mostrar la ubicación, comunicarlo a quíen corresponda para protegerles de los despiadados terroristas o trastornado.
This is brilliant!
Assuming policies change as a result, could secure military installations theoretically be trackable via legacy heatmap data?
Russian bases too... some of my favourites...
Somebody running along the Hasakah West Dam, where a U.S. helipad (?) was recently constructed. (cc @EliotHiggins, @Nrg8000, @GerardsScw, @obretix)
Yeah i talked about that possibility with @obretix a couple months ago, still no satellite updates though
Is there where a JSOC Pandur and an UKSF Escapade were filmed together? cc: @LeighJNeville
Do you have the footage?
Seems original source was deleted/changed handle
UKSF Bushmaster "Escapade", and Pandur on the left? via @Mohab_Naser2
Do you know what's going on here?
Trail running? Where's this?
Just northeast of the Tall Hosh dam.
Little visual clues to geolocate it unfortunately.
The Strava heat map lead me to the US base at Harir airfield in Iraqi Kurdistan, north east of Erbil. wikimapia.org/#lang=en&lat=3… Looks like the airfield there got recently repaved.
might as well be a French, Italian, German, Canadian or even Iraqi user recording his/her tracks..;-)
Walking the perimeter of a US base? That seems unlikely, anyway it was more about the repaving which is a new development for that base, the heat map was just the tool that got me there.
Do I see someone taking shortcuts on their patrol route here?
As I see French @Defense_gouv is not better than the others... Oups...
Holy shit... this is not the automap screen from DOOM?
Now that would be a nice new layer on future OSINT projects... I really wonder how opsec breaches through careless mobile phone use are still a thing, even for US troops.
Already found some bases in Africa as well. How did no one see this..
Oddly sexual shape....
Somebody likes walking in rectangular paths northwest of Raqqa
A fitness conscious person in an elite compound north of Wonsan in DPRK also likes to track fitness on their smartphone
I have no idea what I'm supposed to be looking at here
sloppy Yankee soldiers leavin their running apps on, makin public US covert military installations in Syria & elsewhere
@JaffarAxeman they have blanked out syria on the map now i think ... at least i cannot see it
@JaffarAxeman also for parts of palestine where i can see markings on territories occupied in 1948 but the west bank is totally blank
around gaza has been erased too & it looks like part of al naqab where us military personnel are also known to have bases
@JaffarAxeman I'd take it with a pinch of salt tbh, Rmeilan airfield tht is know to now be occupied by US military also doesn't show up, just interestin 2 see other bases light up with a lot of activity
@JaffarAxeman now known * 😬
not a shockers, americans are dumb as fuck low iq morons
What is this sorcery?
That's honestly some pretty good opsec. Only one screwup in all the years they've been recording.
Do you worry that revealing the positions of US troops and their daily routines puts them at risk?
The information is already out there. A lot of times, sadly, it takes negative PR to get people, companies, and governments to fix security issues. Simply telling them isn't enough.
you're a real bright one, aren't you
Says some piece of shit from the Netherlands.
You think nobody knew this until now? At least it can be fixed vs operating under false sense of security
it puts them at risk if noone points it out. They have to painfully learn the lesson with shame now. Also it has to be public because otherwise they don't have incentive to fix that sh*t as they'd just cover it up and learn nothing
yes smartypants, that is the worry
Sending them to useless wars is even more a danger to their lives
We need to balance those risks with the benefits of getting in shape #Fitbit
Antarctica has a couple weird things, looks to be all underground
looks like the game's up if this is public...
Seems like giving up personal electronics should be like giving up your personal choices in wardrobe and hairstyle in today’s military? You just don’t have the option to wear neon red?
Seriously?!
pretty much everyone in the military has to run and they can't do it offbase in those locations. someone will always forget this stuff. might even be senior staff forgetting orders given to lower ranking folks
And they're going to be running a lot more now that this is known. "One foot by one foot grid across ALL the grounds and rooms. That map better look like a sheet of graph paper by sundown."
posting troop movements isn’t journalism dickhead
For sure it is. Especially if the troops are that stupid.
Does a Fitbit have GPS? I thought they just count steps and you have to carry your smartphone to map your exercises?
Some models have builtin gps, e.g. fitbit surge. Stores the route on device, transmits during next sync with smartphone
Nice - and probably a nasty surprise for some people...
In the 90's, the NSA banned furbies out of a concern that they could be spying on their workers. We used to be on top of these things.
So did other agencies to include FAA and FBI.
Yep, and tamagochis, as well...
Take note government 4square
What's going on at Dugway?
Interesting new base w/ airfield located near midpoint between Raqqah and Akçakale. Apparently built some time after October 2016.
Remember ... it's anonymous data, but very valuable data ... never forgot what data you offer to someone ...
Oh the internet
Check out North Korea 🤔
Mostly blank expect for Pyongyang and some mysterious rural areas. Do nuke scientists get Fitbits in NK?
Good to see people in Greenland and Antarctica are still getting exercise
Nice outline of Jalalabad airfield or FOB Fenty....
Meanwhile, found this running track in Beirut where too many people seem to be cheating 😏
That may be soccer players warming up for a game.
more likely is people pausing their watches for 100m of recovery between sets and creating a direct GPS line to the next starting point.
Nah - warmup on the infield turf for less impact on the joints before track workout
Even more likely is some people running laps of the track and others running laps of the soccer pitch inside the track.
Also some of those top level ones will be steeplechase.
And on some relatively sparsely populated areas you can literally see the house where the local runner (using the app) sets out, and their preferred route.
Joke aside, it’s interesting to see how this bigger stadium, which is not far from the other one, is used with different proportions. Maybe a question of competitions vs training...
I think it's just gone offline.
good project , but in this kind of date i see many injustices, only 1 % can by athlete and go to nature , the other are slaves
Fitbit literally compromising national security lmao
I don’t think you meant it like that but definitely not Fitbit’s responsibility.
Fun to see the Netherlands being bright white. We bike a lot 😄
and it really drops at the German border
Even more interesting: there's a sharp drop-off at the linguistic border *inside* Belgium. French-speaking people perhaps using a different app; perhaps Strava doesn't have as much market coverage in Germany either?
Both possible of course; but the difference in cycle route density could still help explain the stark border inside Belgium as well (original source for map: opencyclemap.org):
And partly it's just that population density drops off sharply in the Walloon part, though that doesn't explain why the Liege-Charleroi-Mons corridor seems relatively "underlit" in the Strava map.
Well, also cars are much cheaper (to buy and maintain) in Germany than NL.
Strava politely blacked out the spot where a Kandahar FOB goes to take a dump.
you might find this interesting.
Sorry, my first ever accidental photo tweet! Oops.
Could've been worse. Hug the little Wonneproppen!
as an #osint person I love Strava
Smuggling route on the US/Mexico border in San Diego county
Smuggling and tracking your steps??? Seems like an odd combination.
this is Santahamina Finland -- mostly military area
this is what Alakurtti military base in Russia looks like in the heat map
no visible heat map marks inside the Pentagon building.. what does it tell?
Some kind of shielding, or are they Cylons?
maybe just better security. preventing people from taking their smartphones in, or whatever. though i'm sure all the good stuff is TEMPEST shielded too
Maybe they're just all really fuckin lazy
It tells you its an office building and nobody is running around inside it
oh, i thought this counted all your steps or whatever. that makes sense too
It tells you that it's a giant concrete building with very thick walls.
No signal inside
There are marks inside the Pentagon, they just get lost since there are so few compared to the major highways nearby. If you tweak the colors, it is a bit easier to see.
Hopefully, a full building Faraday.
Maybe no regular cellular service nor Wi-Fi, only networks with strict data exfiltration policies.
As long as you can get a GPS signal you get a trace. The data isn't submitted until afterwards.
But it's likely the device isn't allowed inside to begin with. I would be surprised if the Pentagon was less strict than PCI in a call center. We weren't allowed to have ANYTHING that had a data interface not provided by IT. Cartridge, wireless, or plugged.
We were basically limited to old school alkaline battery powered things that didn't even have headphone jacks.
(Possibly sensitive)
GPS is pretty unreliable in most buildings, why would you think the Pentagon would be any different, if not moreso?
Lol. That you can’t get GPS through 6 feet of concrete.
Lizard people
You probably have to leave whatever tracker you have in a safe close to the gates
This data is all GPS tracks. GPS doesn't work well indoors. (I use Strava a lot...)
GPS is practically useless inside any house/office-like buildings.
That the Pentagon has the best "No Running" signs in their hallways. The ones that run after you.
Can't bring wi-fi or cellular enabled devices to work. Scifs. Check out the darkness in Langley too. Also why so many ppl on the metro read actual books, not kindles.
Proper security protocols are implemented and being followed...
You'll realize there's a Metro station and major bus transfer point inside the Pentagon... It's been almost a decade since I've commuted through there, and a little longer since I've known anyone who worked there, but I doubt they're jamming GPS or cell signals
When you’re inside a US building as such (like the WH), your GPS bounces and places you about a quarter mile away in some other government building.
There are no visible heat map marks inside most of the buildings anyway, so it doesn't tell you anything.
Aikamoista! Kuvassa on eräs PV:n kohde Länsi-Suomessa, jossa ei ole ollut vuosiin aktiivista toimintaa, mutta se on edelleen strat. tärkeä ja vartioitu. Kuva paljastaa liikkeet alueella, jonne ei ulkopuolisilla ole mitään asiaa. Ping @Puolustusvoimat #OPSEC
Well, turns out Santahamina has roads and footpaths. What a revalation.
...and people with vulnerable devices to tap into.
(Possibly sensitive)
but, sorry, we couldn't see a convoy of 3000 ISIS humvees in the desert...
my data is 4 years old,
Did you check the Antarctic?
Nothing to see here, just a normal person pacing back and forth UNDERGROUND on the Isle of Harris
That's a windfarm according to Ordnance Survey.
Fair enough, I see it now. The missile silos/diamond mines must be hidden somewhere else
GPS also struggles a bit underground.
I think Müllheim military base does not look specially active or is that only intesting for deployment? Where is the data from?
People who exercise with a running watch (or other GPS tracker like a cycle computer), track their route with GPS, and upload the result to Strava for analysis. Newer kit automatically uploads to Strava at the end of a run, if you've set it up. Tracking isn't automatic, though.
Troops in Müllheim might either be too lazy to work out or too smart to leave their trackers on.
But who is so stupid as to upload his exercise details on a (secret) military base / mission to the internet?
Have you been on the internet long? ;-) If you can imagine it, there are thousands if not millions stupid / careless enough to do it.
And if you've been with the military, you'd know that stupid/careless is not hard to come by :-)
When I started the mapping for @TTN_Freiburg I was afraid using the ambulance I work might be a data protection issue and checked how speedy and accurate the mapper actually is - I would think these people are aware of such issues
Are these voluntarily uploaded by users?
"Voluntary" As in a 500page "Privacy Policy"?
imagine real-time data
that's interesting
If you want to spend some time you can even name check some of the people creating those activities by searching for activities in those areas.
hahaha this fucking owns
There's quite a bit of interesting foot data coming out of the mountain areas too.
Kojarena, Western Australia Must be doing laps underground?
Looks like some cat likes running around outside the perimeter of the spy base.
Time to seriously think how to make a electromag bubble, where only sigs redirected goes thru...
Fuck opsec. There are KOMs to get.
Creo que quedó en evidencia un camino que lleva desde la zona desmilitarizada hasta la capital de Corea del Norte #StravaLeaks
Hasta detector de trochas: frontera Colombo-Venezolana.
Can anybody find Nessie?
Wow @ArmyStrang good luck spinning thisnone! Someone's going to be running for 20 years ahahah
Military Base Ramstein in Germany - looks like daily jogging routes..
found some aliens in antarctica? 😃
Or middle aged men exercising at home 🤣
the biggest #military base there and they are very very angry! ☀️🔥#ww3
Isn’t that the Death Star?
Pretty sure it’s the Death Star! Can tell it’s designed by the empire by that photo
It's the same color as a certain someone…did we find his home planet? 😯 Or did he come from the Death Star?! 😶 😆
THAT'S NO MOON!
Look close: The target area is only two meters wide. It's a small thermal exhaust port, right below the main port. The shaft leads directly to the reactor system.
Far too late do we realize that the sun's heat comes from it's unending rage
(No comment)
I'll take opsec for 500 alex
At least define a confidentiality zone in Strava. FWIW
...or locating VIPs.
How would you separate one person out on a heat map?
This is how you end up on a list :)
Checked on places where I was deployed to in Afghanistan/Iraq. They're represented on the map. Not good.
The talibans or Daesh know where military are. They don't need to look @Strava.
this has been online for years. Why is it news now?
Yeah they released the heatmap years ago. Or did they just add a load more countries?
roughing it with google maps, the diameter of what (apparently) ended up in UT is only ~6.5km instead of the planned 87km, but it's definitely in the average size range for a hadron collider. interesting that there are no apparent surface structures & that it's so close to UTTR!
Could be one of those "fake" data tracks send to Strava from indoor cycling (or presumably also running) equipment. E.g. as explained here lowcadence.com/2015/01/30/str… Zwift is responsible for the tracks seen on Jarvis island
Strava Global Heatmap
Over 1 billion activities, 13 trillion data points create the ultimate map of athlete playgrounds.
labs.strava.com
i haven't seen anyone else interact with this, but I'd say your explanation is the most likely! it's a bit of a curious location still - maybe a (very) forward thinking prank by a developer?
you know... for kids
Yet another military base reveal: Fort Mason. Something deeply disturbing in this @Strava map. That turkey look shifty.
It's high time we all knew what that turkey is up to.
Looks like someone drew a blue turkey
Oh the hackers gonna hack
The "White L" and the "Black butterfly" of #Baltimore seem to be clearly outlined on that map. For those who may not have heard those terms, a short introduction: citypaper.com/bcpnews-two-ba… and citypaper.com/bcpnews-murder…
check this.. looks great.
This is Eno, Finland, close to Russian border in North-Karelia. Mainly forest. What is this...?
hiking/trail running?
15 000 participants in an orienteering competition..
(No comment)
thanks for tagging me on this. this is great #osint content. @baywolf88 and I will be discussing it in our @SANSInstitute webcast on Thursday. sans.org/webcasts/osint…
Would like to hear more about this podcast... send me info
Wow, this is really interesting, located tracks in several bases around my country.
Why the OPSEC scare? I would take the bet that there might just be other signs that these locations are military bases. You know - the razor wire, blast walls and people in uniform with guns? 99% non-story. Someone find the story in this data if there even is one.
Typically you don't get satellite maps pointing out where the razor wire wrapped blast walls are posted online. Finding something highlighted on a global map is easier than combing the desert for razer wire.
Between the developed nations with satellites and the less technologically advanced on the ground looking at the walls, they know where it is.
Heatmaps <3 WoW! This one is a beaut. Look at that clarity..
#Antarctica shows up too
(No comment)
Someone has been at Area 51 with Strava as well :)
Interesting to think that this Strava data is probably just a tiny subset of what Google has for a lot of people (in a lot of countries) 24x7.
Found this path between Ecuador and Colombia, Illegal immigration and/or drug cartel pathway.
Aww Yas... Some uncomfortable conversations coming up
Funniest story of the year
Cyberpunk is a lot dumber than I was promised, toby
Wonder what kind of winter sports people are doing in the Googleplex 🤔
Av intresse?
hehe ruskis
Side channels are not restricted to CPUs. The solution here is to prohibit physical activity or to make sure the soldiers are less fit? 😀
Just make sure they don't have any unauthorized devices on them. There must be fitness trackers out there that don't have to phone home to the cloud right?
Absolutely. But it is about what you miss as well. You would have to track jogging phones with unusually low proportion of fitness trackers. I think that there is no absolute security from side channels. You can close the easy ones, but will never get all. Just count cars/people.
Just as any regular observation would? I mean, come on, it's not exactly difficult to find our bases and watch the routes. Locals always know exactly where we operate. There are no ‘secret bases’. We can’t just build a compound in someone’s back yard without them knowing...
Either we have a lot off military bases, or we like road cycling ;)
Almost nothing in Lashkar Gar. Friend is a doctor there but he's not allowed to run outside, only on the treadmill.
I imagine that's a security thing right?
Afaik, the heatmap is not built real time. It also exists for quite a few years already, but recently @Strava rebuilt it on a new massive dataset. It is also integrated into a route builder - quite an assitance when planning a ride. In short - good stuff.
(No comment)
Where's the OpSec cat when you need him?
Ran site for two hours+. Hit me, this BS has NOTHING to do with "athlete's"! Has everything to do with ANYONE who has a smart phone or anything with GPS. Ran my location, there was tracks that represent folks + me that have smart phones, only make calls; know nothing of this ap.
How the f is this public???
Quand est-ce qu’on interdit les footings autour des bases? Ou les applis? Sérieux...
(No comment)
#FITLEAKING can expose military secrets, commerical activities too johnscottrailton.com/fit-leaking/
Types of things you can do with #FITLEAKING: Determine presence of a particular installation, identify activity level, get a profile of activity, and identify of a particular individual johnscottrailton.com/fit-leaking/
Sooooo... @DeptofDefense, are you aware of this?! Pretty sure this is worse than people using location tags on their social media updates
You can do the same thing in OpenStreetMap...
Hezbollah or UNIFIL?
Attn: @ECmadtown this thread makes me very concerned
Hellooooooooo soft targets.
Ok...I think I have an idea stay tuned
So are you saying soldiers are walking (or runny) around with Strava running on their own phones? How are these created?
pode ser uma boa pauta
Likely not what Mark Gainey Harvard (90) expected, but you know Harvard grads and social media 😎 (unintended consequences?)
Channel crossings & other sea routes
I told you people are watching 👀👀