Strava heatmap feature can be abused to find home addresses


Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava app’s heatmap feature that could lead to identifying users’ home addresses.

Strava is a popular running companion and fitness-tracking application with over 100 million users worldwide, helping people track their heart rate, activity details, GPS location, and more.

In 2018, Strava implemented a feature called “heatmap” that anonymously aggregates users’ (runners, cyclists, hikers) activity to help users find trails or exercise hotspots, meet like-minded individuals, and perform their sessions in more crowded and safer locations.

However, as the researchers found, this feature opens up the possibility for tracking and de-anonymizing users using publicly available heatmap data combined with specific user metadata.

Locating homes of athletes

The first step taken by the researchers was to collect data publicly available through Strava heatmap over a month for the states of Arkansas, Ohio, and North Carolina.

Next, they used image analysis to detect start/stop areas next to streets, indicating that a specific home is linked to a source of tracked activity.

Heat nearby a house
Activity heat nearby a house (anupamdas.org)

Having selected heatmap screenshots that matched the criteria, the team overlaid OpenStreetMaps images at zoom levels that helped identify individual residence addresses.

Overlaying home locations
Overlaying home locations (anupamdas.org)

The next step was to perform user crawling leveraging a poorly documented search feature on Strava to locate users who have registered a specific city as their location.

By comparing the endpoints from the heatmap and a user’s personal data from the search function, the researchers could correlate the high activity points on the heatmap and the users’ home addresses.

The public Strava profiles contain activity data with time stamps and distances, making it easier to identify potential routes that match the patterns in the heatmap data, narrowing down people and area matches.

Attack logic and data overview
Attack logic and data overview (anupamdas.org)

As many Strava users register with their real names and even upload profile pictures of themselves, correlating identities with home locations is possible.

For their research, the scientists correlated their findings with voter registration data and found their predictions were roughly 37.5% accurate.

“A more active user produces more heat on the Strava heatmap and therefore is more easily identified. Figure 7 demonstrates the likelihood of a match based on the number of activities posted,” explains the researchers.

“For the remainder of the analysis, we will be assuming the target of the attack posts an average number activities, which for our data set is 308 activities.”

“With the 100 meter threshold, and the victim posting 308 activities, the likelihood of being able to be discovered is 37.5%.”

The more activities a user registers, the better the chances of the attack
The more activities a user registers, the better the chances of the attack (anupamdas.org)

Enhancing Strava’s privacy

The first passive mitigation is to live in a densely populated area that receives massive amounts of Strava heatmap data, making person-specific tracking nearly impossible.

Another way to mitigate this privacy problem would be to start the tracking after you’ve left your home or for Strava to create an exclusion for heatmap for a few meters around home locations as marked in OpenStreetMaps.

The researchers also propose that the heatmap should support an option for users to set privacy zones around their homes or elsewhere too.

The heatmap feature is active by default on all Strava apps, but users can opt out through settings.

Regarding profile settings, those worried about privacy should keep their user profiles on the Strava app private, which would not expose names and activity data.

BleepingComputer has contacted Strava requesting a comment on the paper’s findings and whether the software vendor has any fixing plans, but we have not received a response by publication time.



Source link