Hackers can find your home on Strava even if you use privacy settings, researchers find
Belgian study shows "protected zones" can still be accessed by hackers 85% of the time
Hackers can still work out where your home or work is from your Strava activities even if they are within "privacy zones", according to research from a Belgian university.
The study from PhD students at KU Leuven found that hackers, with limited effort, can discover up to 85% of protected locations.
The ability to hide where your home or work are was brought in by apps such as Strava to guard against thieves finding your home and therefore where you keep your bike. Police have previously warned users the platform could be used by criminals to target thefts .
Users on Strava can hide the start and endpoint of every activity, or also hide the start and end of activities around a specific address, such as home. On Strava, this feature is called an "endpoint privacy zone" (EPZ).
However, a recent study, titled A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks, published at the end of last year concluded: "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.
"While distance-based countermeasures such as generalization can be effective at thwarting our attack, they can also severely reduce usability. Networks must, therefore, carefully consider which functionality they provide while guaranteeing user privacy."
In response, Strava said there had been no leaks or cyber attacks connected to this research, but didn't comment on whether it had taken any action on it.
Get The Leadout Newsletter
The latest race content, interviews, features, reviews and expert buying guides, direct to your inbox!
“Privacy is our top priority to our global community, and we can confirm that there have been no leaks and no cyber attacks involving Strava or our community’s data in regards to this research," a spokesperson said.
"We welcome feedback from our community and note that we provide extensive privacy controls, including industry-leading map, profile and activity visibility controls, to empower everyone on Strava.”
The researchers' "attack" used distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, that was revealed in their research to predict protected locations of users.
"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Karel Dhondt, one of the researchers, told cyber security news site Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."
"It's not like they [a hacker] have to forge API calls or alter ways they communicate with Strava," Dhondt said. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."
The loopholes can be mitigated, like starting activities further away from locations you want to protect, or by increasing the size of your EPZ. However, this could reduce the usability of the app.
According to the researchers, Strava responded to their research, but other app makers with similar privacy features did not beyond thanking them for their efforts.
Thank you for reading 20 articles this month* Join now for unlimited access
Enjoy your first month for just £1 / $1 / €1
*Read 5 free articles per month without a subscription
Join now for unlimited access
Try first month for just £1 / $1 / €1
Adam is Cycling Weekly’s news editor – his greatest love is road racing but as long as he is cycling on tarmac, he's happy. Before joining Cycling Weekly he spent two years writing for Procycling, where he interviewed riders and wrote about racing. He's usually out and about on the roads of Bristol and its surrounds. Before cycling took over his professional life, he covered ecclesiastical matters at the world’s largest Anglican newspaper and politics at Business Insider. Don't ask how that is related to cycling.
-
Eddie Dunbar soars to victory on stage 20 of Vuelta a España
Irishman takes second stage win of this edition amid swirling clouds atop Picón Blanco as Primož Roglič defends red jersey
By Flo Clifford Published
-
Paul Magnier takes hat-trick of wins at Tour of Britain with stage five victory
Young Frenchman powers to third stage win as three-man breakaway caught at the death
By Flo Clifford Published
-
Shaved arms, special tyres, and an 11-page plan: How one rider masterminded his way to Strava's most popular KOM
Dom Jackson's Box Hill coup was a team effort, fuelled by rice and sweets
By Tom Davidson Published
-
Strava rolls out shared subscription plan for any 4 friends, family members or teammates
Strava aims to enhance the benefits of community with the launch of a new Family Plan that can be shared among any four friends, family members or teammates.
By Anne-Marije Rook Published
-
'Haters gonna flag' - Tadej Pogačar flagged again on Strava after dominant ride at Giro d’Italia
Slovenian flagged after queen stage victory in Livigno before being flagged on stage 17 in the Dolomites
By Tom Thewlis Published
-
Strava cheats to be flagged by AI as platform rolls out new features
AI-enabled leaderboard checks just one of a suite of coming updates to the training app
By Adam Becket Published
-
Jonas Vingegaard’s former team reclaims Coll de Rates KOM from Juan Ayuso
18-year-old Peter Øxenberg Hansen now officially holds Strava title, beating UAE Emirates rider by 11 seconds
By Tom Thewlis Published
-
'I got the dreaded uh-oh email from Strava... he took my KOM by 15 seconds': Phil Gaimon wins battle over world's hardest segment
American holds 249 watts on gruelling five-hour Mauna Kea effort to reclaim crown
By Tom Davidson Published
-
‘Dear tiger': Why do Wout van Aert’s Strava files all have strange names?
The Visma-Lease a Bike rider has been feeling musical on a training camp
By Tom Davidson Published
-
'People aren't as snooty or uptight': gravel boom shows no signs of slowing, and here's why
Gravel bike riding is "one of the fastest-growing sports" on Strava, with 55% more people doing it in 2023
By Tom Davidson Published