The next James Bond may be tracking his metrics on a fitness band; carefully uploading his favourite routes and posting a cheerful emoji at breaking a personal best for a 10k jog around a nuclear weapons site.

Open source investigations house Bellingcat has found that more than a few would-be 007s were doing just that; it identified individuals exercising at intelligence agencies, as well as embassies and near their homes.

“From (Nearly Everywhere) With Love”

The 6,500 unique users it identified were all using the fitness tracking app Polar, which revealed not just the daily activity but the identify of its users. The revelation comes after fitness app Strava was used to identify secret military bases.

Bellingcat researcher Foeke Postma wrote: “A selection of individuals that we found on the Polar site who were identifiable from their public information, and whose homes we were able to locate includes:

  • Military personnel exercising at bases known, or strongly suspected, to host nuclear weapons.
  • Individuals exercising at intelligence agencies, as well as embassies, their homes, and other locations.
  • Persons working at the FBI and NSA.
  • Military personnel specialised in Cyber Security, IT, Missile Defence, Intelligence and other sensitive domains.
  • Military personnel at Guantanamo Bay.
  • Troops stationed near the North Korean border.
  • Airmen involved in the battle against the Islamic State.
the next james bond
“They found us through your workout app!”

The Living Daylights

He added: “This list is not exhaustive. We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such sensitive sites, and we gathered a list of nearly 6,500 unique users. Together, these users had made over 650,000 exercises, marking the places they work, live, and go on vacation.”

In January Nathan Ruser discovered that the fitness app Strava revealed sensitive locations throughout the world including at previously unknown military outposts.

Polar, best known for making the world’s first wireless heart-rate monitor, uses its site ‘Polar Flow’ as a social platform where users can share their runs. The company – which has not updated its UK press page since 2014, could not be reached for comment.

Postma added: “With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name.”

It may be a quantum of solace for Polar that it is hardly alone: the embarrassing breach of operational security for its users is just the latest in a string of similar incidents, as complacency about the security aspects of the Internet of Things (IoT) lingers.

Last week Computer Business Review reported cybersecurity experts’ fears about UK Defence Secretary Gavin Williamson’s operational security, after he left his iPhone’s mic to open during a parliamentary session and was interrupted by voice assistant Siri.