Hackers can find your home on Strava even if you use privacy settings, researchers find

Hackers can still work out where your home or work is from your Strava activities even if they are within "privacy zones", according to research from a Belgian university.

The study from PhD students at KU Leuven found that hackers, with limited effort, can discover up to 85% of protected locations.

The ability to hide where your home or work are was brought in by apps such as Strava to guard against thieves finding your home and therefore where you keep your bike. Police have previously warned users the platform could be used by criminals to target thefts .

Users on Strava can hide the start and endpoint of every activity, or also hide the start and end of activities around a specific address, such as home. On Strava, this feature is called an "endpoint privacy zone" (EPZ). 

However, a recent study, titled A Run a Day Won’t Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks, published at the end of last year concluded: "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distances travelled within the EPZ [endpoint privacy zone], as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%.

"While distance-based countermeasures such as generalization can be effective at thwarting our attack, they can also severely reduce usability. Networks must, therefore, carefully consider which functionality they provide while guaranteeing user privacy."

In response, Strava said there had been no leaks or cyber attacks connected to this research, but didn't comment on whether it had taken any action on it.

“Privacy is our top priority to our global community, and we can confirm that there have been no leaks and no cyber attacks involving Strava or our community’s data in regards to this research," a spokesperson said.

"We welcome feedback from our community and note that we provide extensive privacy controls, including industry-leading map, profile and activity visibility controls, to empower everyone on Strava.”

The researchers' "attack" used distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, that was revealed in their research to predict protected locations of users. 

"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Karel Dhondt, one of the researchers, told cyber security news site Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."

"It's not like they [a hacker] have to forge API calls or alter ways they communicate with Strava," Dhondt said. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."

The loopholes can be mitigated, like starting activities further away from locations you want to protect, or by increasing the size of your EPZ. However, this could reduce the usability of the app.

According to the researchers, Strava responded to their research, but other app makers with similar privacy features did not beyond thanking them for their efforts.