Illustration showing data security problems of the Strava app with inset images indicating data leak of French nuclear submarines, US military bases abroad, and locations of Joe Biden and Emmanuel Macron
Credit: Reuters, iStock, and Unsplash Photos
Crucial data of a French nuclear submarine slated for Russian patrol was leaked due to a fitness app, a Le Monde investigation showed two days back.
Officers and crew in the vessel accidentally blew their cover as well as their location and schedule by recording their runs on Strava. As a result, there was an imminent risk of the data, including the sub's position, location, and patrol schedule, getting leaked to Moscow.
Strava -- the fitness app in question -- allows users to share fitness activities and achievements online while monitoring other users' progress worldwide. Strava also has a feature that allows publishing the data on a map with an accurate location where the user completed the exercise or achieved the fitness goal.
The crew made the error at the Ile Longue submarine base at the Brest Harbour in France's Finistere. This base is reportedly home to four French nuclear subs, each with 16 nuclear missiles. This has an explosive intensity around thousand times the power of the bombs dropped on Hiroshima and Nagasaki during WWII.
The base, guarded like a fortress and home to 2,000 French military personnel, allows smartwatches with third-party applications, which is how the security was breached.
As per a Daily Mail report, a probe after the leaks showed that over 450 Strava users from the French military have been active at the nuclear base in the last ten years.
Le Monde, meanwhile, found that many of the personnel did not even use aliases or pseudonyms, thus exposing themselves to a global viewership.
The runs of three personnel, including when they went off radar, helped deduce the time they were on patrol aboard a sub. One of the officers even chatted on the Strava fitness app upon return, saying it was tough to return to sport after over two-and-a-half months away. The officer ended the message with bubble emojis and that of a scuba mask.
An earlier Le Monde investigation had shown that highly confidential movements of world leaders and prominent personalities could also be tracked through the Strava app -- because their bodyguards were using them.
Based on the app data, the French newspaper found that Emmanuel Macron had spent a weekend at the Normandy seaside resort of Honfleur in 2021. This was a private trip not listed on the President's official agenda.
In another instance, the data revealed the hotel US President Joe Biden had stayed in during his high-profile talks with Xi Jinping in San Francisco in 2023.
Donald Trump and Kamala Harris' movements were also trackable, as per the French publication. The US Secret Service did not believe the protection it provided was compromised while Macron's office had said the issues reported "in no way" affected the French President's security.
However, to highlight the danger of this data being available on Strava -- Former Russian submarine commander, Capt. 2nd Rank Stanislav Rzhitsky, was gunned down in July 2023, while he was serving as the deputy director of the city’s mobilization office in Krasnodar. Russian news outlets had at the time reported that Rzhitsky posted his running routes on Strava and was shot dead while jogging in a park there.
A Ukrainian was arrested in the matter.
In 2019, it was reported that Strava maps gave away potentially sensitive information about American and allied troops in areas like Syria and Iraq. While the bases highlighted are commonly known enough, the app also mapped some routes taken by forces moving outside the bases -- information that could aid an ambush.
Security experts also spotted on Strava's map what they believed to be the movements of US soldiers in Africa and of people who work at a suspected Taiwanese missile command, all of whom had shared workouts apparently without realizing the implications.
On Strava's part, it earlier said "athletes with the Metro/heatmap opt-out privacy setting have all data excluded" from the mapping project.
The app also overhauled the map which showed the military positions, and currently access to street-level details is barred for anyone but registered users.
Strava is an American app that currently has over 125 million users in 190 countries.
(With agency inputs)