Hackers can find your home on Strava even if you use privacy settings, researchers find
Belgian study shows "protected zones" can still be accessed by hackers 85% of the time
Hackers can still work out where your home or work is from your Strava activities even if they are within "privacy zones", according to research from a Belgian university.
The study from PhD students at KU Leuven found that hackers, with limited effort, can discover up to 85% of protected locations.
The ability to hide where your home or work are was brought in by apps such as Strava to guard against thieves finding your home and therefore where you keep your bike. Police have previously warned users the platform could be used by criminals to target thefts .
Users on Strava can hide the start and endpoint of every activity, or also hide the start and end of activities around a specific address, such as home. On Strava, this feature is called an "endpoint privacy zone" (EPZ).
However, a recent study, titled A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks, published at the end of last year concluded: "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.
"While distance-based countermeasures such as generalization can be effective at thwarting our attack, they can also severely reduce usability. Networks must, therefore, carefully consider which functionality they provide while guaranteeing user privacy."
In response, Strava said there had been no leaks or cyber attacks connected to this research, but didn't comment on whether it had taken any action on it.
Get The Leadout Newsletter
The latest race content, interviews, features, reviews and expert buying guides, direct to your inbox!
“Privacy is our top priority to our global community, and we can confirm that there have been no leaks and no cyber attacks involving Strava or our community’s data in regards to this research," a spokesperson said.
"We welcome feedback from our community and note that we provide extensive privacy controls, including industry-leading map, profile and activity visibility controls, to empower everyone on Strava.”
The researchers' "attack" used distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, that was revealed in their research to predict protected locations of users.
"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Karel Dhondt, one of the researchers, told cyber security news site Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."
"It's not like they [a hacker] have to forge API calls or alter ways they communicate with Strava," Dhondt said. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."
The loopholes can be mitigated, like starting activities further away from locations you want to protect, or by increasing the size of your EPZ. However, this could reduce the usability of the app.
According to the researchers, Strava responded to their research, but other app makers with similar privacy features did not beyond thanking them for their efforts.
Thank you for reading 20 articles this month* Join now for unlimited access
Enjoy your first month for just £1 / $1 / €1
*Read 5 free articles per month without a subscription
Join now for unlimited access
Try first month for just £1 / $1 / €1
Adam is Cycling Weekly’s news editor – his greatest love is road racing but as long as he is cycling on tarmac, he's happy. Before joining Cycling Weekly he spent two years writing for Procycling, where he interviewed riders and wrote about racing, speaking to people as varied as Demi Vollering to Philippe Gilbert. Before cycling took over his professional life, he covered ecclesiastical matters at the world’s largest Anglican newspaper and politics at Business Insider. Don't ask how that is related to cycling.
-
Is your bike the noisest in the bunch? 13 steps to a silent ride
A quiet bike is a joy to ride, so here's how to banish unwanted noises - what to check for, how to fix it and why you shouldn't ignore what your bike is telling you
By Tim Russon Published
-
Cycplus Tiny E-Pump AS2 Review - an electric alternative to CO2
Small enough to fit in your pockets, it inflates to 100psi with a 200-second usage per charge
By Paul Grele Published
-
Jonas Vingegaard’s former team reclaims Coll de Rates KOM from Juan Ayuso
18-year-old Peter Øxenberg Hansen now officially holds Strava title, beating UAE Emirates rider by 11 seconds
By Tom Thewlis Published
-
'I got the dreaded uh-oh email from Strava... he took my KOM by 15 seconds': Phil Gaimon wins battle over world's hardest segment
American holds 249 watts on gruelling five-hour Mauna Kea effort to reclaim crown
By Tom Davidson Published
-
‘Dear tiger': Why do Wout van Aert’s Strava files all have strange names?
The Visma-Lease a Bike rider has been feeling musical on a training camp
By Tom Davidson Published
-
'People aren't as snooty or uptight': gravel boom shows no signs of slowing, and here's why
Gravel bike riding is "one of the fastest-growing sports" on Strava, with 55% more people doing it in 2023
By Tom Davidson Published
-
Strava analyzed all our activities and found that boomers bike, Gen Z likes the party pace and we’re all held back by work
Strava’s Year in Sport takes an analytical deep dive into the habits of 120 million athletes world wide. Here's what they found.
By Anne-Marije Rook Published
-
Strava appoints YouTube exec as new CEO hopes to 'take it to the next level'
Michael Martin will lead the exercise app from 2 January 2024
By Tom Davidson Published
-
Strava introduces messaging
The activity-tracking app can now be used to chat to your fellow cyclists and runners
By Adam Becket Published
-
‘I’m in serious danger’ - Alpe d’Huez QOM holder reacts to climb’s Tour de France Femmes inclusion
Illi Gardner has the best time on over 8,000 Strava climb segments
By Tom Davidson Published