Hackers can find your home on Strava even if you use privacy settings, researchers find
Belgian study shows "protected zones" can still be accessed by hackers 85% of the time
Hackers can still work out where your home or work is from your Strava activities even if they are within "privacy zones", according to research from a Belgian university.
The study from PhD students at KU Leuven found that hackers, with limited effort, can discover up to 85% of protected locations.
The ability to hide where your home or work are was brought in by apps such as Strava to guard against thieves finding your home and therefore where you keep your bike. Police have previously warned users the platform could be used by criminals to target thefts .
Users on Strava can hide the start and endpoint of every activity, or also hide the start and end of activities around a specific address, such as home. On Strava, this feature is called an "endpoint privacy zone" (EPZ).
However, a recent study, titled A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks, published at the end of last year concluded: "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.
"While distance-based countermeasures such as generalization can be effective at thwarting our attack, they can also severely reduce usability. Networks must, therefore, carefully consider which functionality they provide while guaranteeing user privacy."
In response, Strava said there had been no leaks or cyber attacks connected to this research, but didn't comment on whether it had taken any action on it.
Get The Leadout Newsletter
The latest race content, interviews, features, reviews and expert buying guides, direct to your inbox!
“Privacy is our top priority to our global community, and we can confirm that there have been no leaks and no cyber attacks involving Strava or our community’s data in regards to this research," a spokesperson said.
"We welcome feedback from our community and note that we provide extensive privacy controls, including industry-leading map, profile and activity visibility controls, to empower everyone on Strava.”
The researchers' "attack" used distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, that was revealed in their research to predict protected locations of users.
"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Karel Dhondt, one of the researchers, told cyber security news site Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."
"It's not like they [a hacker] have to forge API calls or alter ways they communicate with Strava," Dhondt said. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."
The loopholes can be mitigated, like starting activities further away from locations you want to protect, or by increasing the size of your EPZ. However, this could reduce the usability of the app.
According to the researchers, Strava responded to their research, but other app makers with similar privacy features did not beyond thanking them for their efforts.
Thank you for reading 20 articles this month* Join now for unlimited access
Enjoy your first month for just £1 / $1 / €1
*Read 5 free articles per month without a subscription
Join now for unlimited access
Try first month for just £1 / $1 / €1
Adam is Cycling Weekly’s news editor – his greatest love is road racing but as long as he is cycling on tarmac, he's happy. Before joining Cycling Weekly he spent two years writing for Procycling, where he interviewed riders and wrote about racing. He's usually out and about on the roads of Bristol and its surrounds. Before cycling took over his professional life, he covered ecclesiastical matters at the world’s largest Anglican newspaper and politics at Business Insider. Don't ask how that is related to cycling.
-
Remco Evenepoel goes on first outdoor ride since horror crash, hints at Tour de France on Strava
'On my way back' says the Belgian, as he builds back up to Tour de France form with almost-100km ride
By James Shrubsall Published
-
Four weeks after breaking arm, Lizzie Deignan set to start La Vuelta Femenina
British rider to line up at eight-stage race on Sunday, less than a month on from crash at Tour of Flanders
By Adam Becket Published
-
Jonas Vingegaard’s former team reclaims Coll de Rates KOM from Juan Ayuso
18-year-old Peter Øxenberg Hansen now officially holds Strava title, beating UAE Emirates rider by 11 seconds
By Tom Thewlis Published
-
'I got the dreaded uh-oh email from Strava... he took my KOM by 15 seconds': Phil Gaimon wins battle over world's hardest segment
American holds 249 watts on gruelling five-hour Mauna Kea effort to reclaim crown
By Tom Davidson Published
-
‘Dear tiger': Why do Wout van Aert’s Strava files all have strange names?
The Visma-Lease a Bike rider has been feeling musical on a training camp
By Tom Davidson Published
-
'People aren't as snooty or uptight': gravel boom shows no signs of slowing, and here's why
Gravel bike riding is "one of the fastest-growing sports" on Strava, with 55% more people doing it in 2023
By Tom Davidson Published
-
Strava analyzed all our activities and found that boomers bike, Gen Z likes the party pace and we’re all held back by work
Strava’s Year in Sport takes an analytical deep dive into the habits of 120 million athletes world wide. Here's what they found.
By Anne-Marije Rook Published
-
Strava appoints YouTube exec as new CEO hopes to 'take it to the next level'
Michael Martin will lead the exercise app from 2 January 2024
By Tom Davidson Published
-
Strava introduces messaging
The activity-tracking app can now be used to chat to your fellow cyclists and runners
By Adam Becket Published
-
‘I’m in serious danger’ - Alpe d’Huez QOM holder reacts to climb’s Tour de France Femmes inclusion
Illi Gardner has the best time on over 8,000 Strava climb segments
By Tom Davidson Published