3 February 2018

What He Did on His Summer Break: Exposed a Global Security Flaw


SYDNEY, Australia — When Nathan Ruser, an Australian university student, posted on Twitter over the weekend that a fitness app had revealed the locations of military sites in Syria and elsewhere, he did not expect much response.

But the news ricocheted across the internet, alarming security experts, who said hostile entities could glean valuable intelligence from the Strava app’s global “heat map,” including the locations of secret bases and the movements of military personnel. The Pentagon said it was reviewing the situation.

“Whoever thought that operational security could be wrecked by a Fitbit?” Mr. Ruser, 20, said in an interview from Thailand, where he is spending part of the Australian summer break.

Mr. Ruser, who studies international security at Australian National University in Canberra, is not a Strava user (“I sometimes go for walks, but I’m not very fit,” he said). But he is an avid follower of the conflict in Syria, and he often uses maps to put news stories in context.

When he looked over Syria on Strava’s map — which is based on location data from millions of users, including military personnel, who share their exercise activity — the area “lit up with those U.S. bases,” he said.

Before publicly sharing his findings over the weekend, he discussed them in a private chat group on Twitter, made up of people interested in intelligence and security issues. “I know about two-thirds of what I know about the world from the group chats,” he said.

Strava's online exercise-tracking map unwittingly reveals remote military outposts — and even the identities of soldiers based there. The situation shows how data collection can lead to unintended consequences.

Danielle Cave, a senior analyst at the Australian Strategic Policy Institute, said that Twitter is playing an increasingly important role in open-source intelligence, the collection of sensitive information from publicly available sources. Researchers from think tanks, nongovernmental organizations and the corporate sector who are at the cutting edge of cybersecurity work gravitate to the platform to exchange information, she said.

“Twitter’s being used to piece it together like a jigsaw,” Ms. Cave said. “Usually I see them on top of a cyberrelated issue hours, if not days, before it ends up on the media.”

John Blaxland, a professor of international security and intelligence studies at Australian National University, taught Mr. Ruser last year.

“A lot of geo-location, a lot of reflection can be derived from what’s out there in open-source,” Professor Blaxland said. “Nathan’s clearly taken it to heart and gone out on his own.” (Mr. Ruser did very well in his class, the professor added.)

Mr. Ruser, who is from Sydney, hopes to spend a semester abroad in Myanmar before graduating next year. He said he has written 7,000 words of an article about a pro-government militia in northern Myanmar, which he plans to send to Bellingcat, an open-source citizen journalism site, when it’s finished.

He said he hoped the Australian intelligence community saw his Strava revelation as a positive contribution, helping the Australian government and others address their vulnerabilities. “I would definitely not like to be a Manning, or a Snowden, or an Assange,” he said.

Like many 20-year-olds, he is not sure what he wants to do after graduation. But Ms. Cave and others agreed that his discovery would not hurt his career prospects.

“He’s obviously got some seriously great skills,” Ms. Cave said. “It would be crazy for groups in this space not to nab somebody like that.” In fact, she said, she was thinking of asking him if he would be interested in an internship.

No comments: