Hackers can find your home on Strava even if you use privacy settings, researchers find
Belgian study shows "protected zones" can still be accessed by hackers 85% of the time
Hackers can still work out where your home or work is from your Strava activities even if they are within "privacy zones", according to research from a Belgian university.
The study from PhD students at KU Leuven found that hackers, with limited effort, can discover up to 85% of protected locations.
The ability to hide where your home or work are was brought in by apps such as Strava to guard against thieves finding your home and therefore where you keep your bike. Police have previously warned users the platform could be used by criminals to target thefts .
Users on Strava can hide the start and endpoint of every activity, or also hide the start and end of activities around a specific address, such as home. On Strava, this feature is called an "endpoint privacy zone" (EPZ).
However, a recent study, titled A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks, published at the end of last year concluded: "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.
"While distance-based countermeasures such as generalization can be effective at thwarting our attack, they can also severely reduce usability. Networks must, therefore, carefully consider which functionality they provide while guaranteeing user privacy."
In response, Strava said there had been no leaks or cyber attacks connected to this research, but didn't comment on whether it had taken any action on it.
Get The Leadout Newsletter
The latest race content, interviews, features, reviews and expert buying guides, direct to your inbox!
“Privacy is our top priority to our global community, and we can confirm that there have been no leaks and no cyber attacks involving Strava or our community’s data in regards to this research," a spokesperson said.
"We welcome feedback from our community and note that we provide extensive privacy controls, including industry-leading map, profile and activity visibility controls, to empower everyone on Strava.”
The researchers' "attack" used distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, that was revealed in their research to predict protected locations of users.
"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Karel Dhondt, one of the researchers, told cyber security news site Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."
"It's not like they [a hacker] have to forge API calls or alter ways they communicate with Strava," Dhondt said. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."
The loopholes can be mitigated, like starting activities further away from locations you want to protect, or by increasing the size of your EPZ. However, this could reduce the usability of the app.
According to the researchers, Strava responded to their research, but other app makers with similar privacy features did not beyond thanking them for their efforts.
Thank you for reading 20 articles this month* Join now for unlimited access
Enjoy your first month for just £1 / $1 / €1
*Read 5 free articles per month without a subscription
Join now for unlimited access
Try first month for just £1 / $1 / €1
Adam is Cycling Weekly’s news editor – his greatest love is road racing but as long as he is cycling, he's happy. Before joining CW in 2021 he spent two years writing for Procycling. He's usually out and about on the roads of Bristol and its surrounds.
Before cycling took over his professional life, he covered ecclesiastical matters at the world’s largest Anglican newspaper and politics at Business Insider. Don't ask how that is related to riding bikes.
-
The Oura ring reviewed: is this wellness tracker helpful to cyclists?
With its focus on recovery and wellness, the Oura ring offers unique insights but is it worth the investment over other wearables?
By Anne-Marije Rook Published
-
Shimano RC703 road shoe review: sleek, stiff and robust
Shimano's second-tier offering combines a rigid carbon sole with handy Boa dials and protective toe caps
By Sam Gupta Published
-
Amateur cyclist in talks with four WorldTour teams after Strava KOM heroics
Jack Burke says there's a 30% chance he'll ride at cycling's top level in 2025
By Tom Davidson Published
-
Amateur cyclist beats Sepp Kuss's time on Alpe d'Huez to take Strava KOM
Jack Burke hopes professional teams will offer him 'a chance to compete against the best'
By Tom Davidson Published
-
Strava blocks other apps from using leaderboard and segment data
Exercise tracking app says move will help maintain user privacy in the long term
By Tom Thewlis Published
-
Amateur cyclist breaks Strava KOMs on Mortirolo and Stelvio, makes plea for pro contract
'Let's hope some kind of opportunity comes from this,' said Canadian Jack Burke, after taking the Mortirolo crown
By Tom Davidson Published
-
Strava says its new AI feature is 'not a novelty' - but I think it's pointless
It promises to help users understand stats more, although it has just left me feeling more confused
By Adam Becket Published
-
Strava introduces new artificial intelligence feature for subscribers
Athlete Intelligence will take workout data and translate it into personalised insights
By Adam Becket Published
-
Strava introduces new feature which brings privacy settings up to speed
Quick Edit option allows users to hide specific workout data the moment they open the app
By Tom Thewlis Published
-
'It was a nice break' - Cycling sensation 'on holiday' breaks Zoncolan, Stelvio and Giau Strava records
Hill climber Illi Gardner added more iconic climbs to her trophy cabinet
By Tom Davidson Published