The Strava story illustrates how your organization’s digital footprint is getting larger every day and how digital risk is hyper-accelerating.
A public release of Strava’s data visualization map shows all the activity tracked by users of its app. The map, released in November 2017, claims to show every single activity ever uploaded to Strava – more than 3 trillion individual GPS data points. Sensitive information about location, staffing levels and primary traffic patterns of practically any physical site in the world is clearly discoverable. This immediately illuminates how personal Internet of Things (IoT) devices can increase digital risk to your organization by a third-party.
However, the risk doesn’t stop there. Strava is a “social” fitness app. According to Strava, the app says you can “Track your rides and runs via your iPhone, Android or GPS device, analyze your performance, and compare with friends.” In our review of this application, end-users routinely link their Twitter, Instagram or Facebook profile to their Strava profile that is publicly accessible.
This creates a gateway for data collected by the Strava app to make it’s way into social media channels and Strava end-users to be discovered through mining social media. With context rich information in hand from social media and Strava profile information, nefarious actors can establish a “pattern of life” on a target. Bad actors will exploit this information to increase the likelihood of success of an attack targeting the cyber security or physical security of an organization or individual.
There is a growing demand for gadgets like Strava that bring value to us in different ways. As the Internet of Things (IoT) become more connected, it’s clearly evident that it is becoming increasingly difficult for even the most OPSEC oriented organizations to detect, analyze and mitigate all the opportunity that is being created for bad actors to exploit.