Strava’s segment explorer shows who ran what, where, and when - An OSINT investigation into operational security

There are some great advantages to running with Strava. One of them is the community aspect of seeing where people run around you, how fast they run, and when they did it.

You can even contact fellow runners in the Strava app, or Facebook, as they have a profile picture, a name, and generally, where they are from.

However, as with all big data innovations, there are privacy risks. While it has already been identified that Strava’s global heat map is a security risk for its identification of military bases, Strava’s segment explorer is a much bigger risk for operational security.

The issue is, you can view that ‘running community’ in any location in the world. That includes conflict areas of the Middle East, Africa’s north, or who ran the last Pyongyang Marathon in North Korea.

These finds were made using simple OSINT (open-source intelligence) methods. I hope that by sharing this find with you, it will increase awareness of privacy issues in a data-dominant world.

On the outset, it should be known that Strava does have advanced privacy features, which I have included at the bottom of this investigation.

All names have been blurred, due any further sensitivities.

Exploring Strava app’s privacy holes in Mali, South Sudan and Algeria

Strava’s segment explorer can be accessed via their website on a desktop computer, as well as from the mobile application.

A number of concerning operational security exposures have been found in Africa. This includes UN bases, coalition forces bases, oil field projects, as well as the people that run them, and when they did it.

The following is what is available to the public when viewing Strava app’s segment explorer.

Camp Castor in Mali, near the city of Gao. (Image: Google Earth, Strava).
A UN base in South Sudan near Malaka. (Image: Google Earth, Strava).

East Algeria has a number of oil and gas establishments that also have employees logging regular runs on Strava.

One of the natural gas camps in East Algeria where I identified a large number of European employees and security workers was the In Amenas Gas Camp. It is worth mentioning that this project was subject to a terrorist takeover in 2013 by Islamist extremists where more than 30 hostages died as a result of the attack.

JGC Algeria camp. (Image: Google Earth, Strava).

Many of the Strava leaderboard profiles also include where their home town and country of origin is. Those profiles also have an identifying profile picture.

These details can cause a risk for personal security as their names, hometowns and profile pictures can be easily traced to their Facebook profiles via a simple Facebook search.

(Image: Google Earth, Strava, Facebook).

Strava runners in the Middle-East

One of the larger military establishments in the Middle East is Camp Taji in Iraq. The base is just north of Baghdad and is easily located on Strava’s segment explorer with runs being logged by more than 50 Strava users.

Camp Taji, Iraq. (Image: Google Earth, Strava).

In Syria, an interesting track that has been ran by 10 Strava users is in the north of Syria at French-Swiss cement maker LafargeHolcim’s factory.

Runs have been logged since June, 2016, with the last being logged in April, 2018. However, the cement factory closed and staff evacuated in September, 2014.

The Lafarge cement factory is 150km east of Aleppo and was found to have paid close to 13 million Euro to terrorist groups, including Islamic State militants, to operate when it was open.

Lafarge Cement Factory, Syria. (Image: Google Earth, Strava).

Running Pyongyang Marathon

We can even see who ran in the 2017 Pyongyang Marathon in North Korea.

Pyongyang, North Korea. (Image: Strava).

Activity apps are great, but be aware of privacy

These breaches are serious, there is no doubt about it. But in writing this, I appreciate the community and competitive aspects that fitness apps such as Strava bring to the table.

It is functions such as the segment explorer that allow us to find local routes, competitors, and even get in contact with local runners.

However, this should be used with discretion, as a public profile is subject to open-source risks and operational security disclosures that should otherwise remain closed.

If you are someone that uses Strava, and you want to control your data, I recommend viewing the image below, and learning about the app’s privacy features before you use it next.

Strava’s privacy settings. (Image: Strava)