Smartwatch Hack: Strava Exposes Swedish PM's Security Detail

How Fitness Apps & Smartwatches Are Quietly Undermining National Security

BLUF: If you are in a sensitive NatSec position, do NOT/NOT use a smartwatch. Even if you are an average Joe, at least understand the risks.

Sometimes I feel like we are beating a dead camel when we talk about the counterintelligence risks of smartwatches, but this week, yet another world leader was put at risk due to his security detail’s use of Strava, an application and social media platform that allows users to track and share their fitness activity.

According to several reports, the Swedish Security Service Personal Security Detail (i.e., bodyguards) tasked with protecting Prime Minister Ulf Kristersson may have inadvertently compromised his safety by uploading their personal workout data. Per a detailed report from Dagens Nyheter, at least 35 workouts linked directly to Kristersson’s movements were made public on the app, revealing sensitive details about his private home address, travel routes, and official business.  

A review of photos shows a plethora of Digital Tools Watches (D.T.W.s) on the wrists of Kristersson’s detail, mostly from Garmin, and it’s reasonable to assume this data was likely collected through the fitness-oriented smartwatches

The Swedish Prime Minister running in Japan. Smartwatches are visible on security personnel's wrists. (Photo Credit: @kristerssonulf /Instagram)

The lapse, uncovered through an analysis of over 1,400 individual training activities posted by seven members of his detail, paints a troubling picture. Not only were the locations of the prime minister’s runs and private travels revealed, but so were security patterns around government offices, residences, and diplomatic movements. The Swedish Security Service, Säpo, has since launched an internal investigation and begun reviewing its protective protocols.

Swedish Prime Minister Ulf Kristersson wearing a Certina DS-1 Big Date. Of note, he also wears a smartwatch, a Garmin Forerunner, while running. 

Really, Who Would Target the Swedish PM?

I know what you’re thinking: it’s Sweden. Is the Prime Minister really at risk? In February 1986, then Swedish Prime Minister Olof Palme was assassinated while walking unprotected with his wife in central Stockholm. The case remains controversial and officially unresolved. 

Further, the Swedish PM has been involved in high-stakes negotiations in Ukraine and has an increasingly strained relationship with Russia. In short, all government leaders are potentially targets, whether from Sweden, the United States, or anywhere else. 

Strava - A History Of NatSec Issues

Open source (OSINT) analysis of publicly available Strava data has led to several incidents in recent years, largely due to user naivety when it comes to privacy settings, and not necessarily vulnerabilities with the app itself. In 2018, Strava’s global heat map exposed secret U.S. military bases, and since then, similar incidents have revealed French nuclear submarine routes, President Emmanuel Macron’s bodyguards’ movements, and even the identities of British Special Air Service (SAS) operators. The danger is real.

In 2024, a former Russian submarine commander was assassinated, reportedly with the help of information obtained from his public Strava profile, data likely collected by his GPS-enabled Garmin Fenix 6X. What begins as harmless fitness tracking can quickly spiral into real-world consequences.

Isn’t The Risk The Same As An iPhone?

As some will be quick to point out, the vulnerability in this case is not the smartwatch itself, but rather the data collected via the smartwatch and uploaded to publicly accessible Strava accounts. 

(Photo Credit: James Rupley/W.O.E.)

That said, the use of a smartwatch does increase the potential vectors for exploitation by a sophisticated adversary. When used properly, the microphone of an Apple Watch or other smartwatch is always within range of the wearer's voice, unlike a phone, which may be in your pocket or on the desk in the next room. 

Further, smartwatches collect more data than an iPhone, including heart rate, sleep patterns, and even subtle hand movements, which some studies suggest can be used to decipher passwords. Much of this data is processed by third-party apps with varying levels of security. More importantly, unlike a phone, the smartwatch is easily replaced with an analog tool called a watch, which can’t be hacked.

COROS Smartwatch Hack

COROS, an attainable fitness smartwatch brand, was revealed to have serious data security inadequacies. (Photo Credit: SySS Tech Blog)

While I suspect the Apple Watch is likely among the most secure (read least vulnerable) option on the market due to iOS ecosystem controls, the reality is no connected device is immune to compromise.

COROS, a popular fitness watch brand known for long battery life and affordability, is facing major scrutiny after a German security firm uncovered critical Bluetooth vulnerabilities across its entire product line. The flaws allow attackers within Bluetooth range, especially around Android phones, to hijack a device, access user data, read messages, inject fake notifications, reset the watch, and even crash it mid-use. 

The root issue allegedly lies in COROS's outdated Bluetooth implementation, which bypasses modern security protocols. The situation underscores the importance of robust security practices, something smaller tech companies often struggle to prioritize.

Army Gen. Michael "Erik" Kurilla wearing an Apple Watch while testifying for nomination for CENTCOM 2022.

Final Thoughts - Learn From The Mistakes Of Others

The Swedish flap is yet another reminder that the counterintelligence risks of connected devices are real and cannot be ignored. The simple fix is educating members of your unit or team on the risks of smartwatches, phones, and other data-sharing applications. Whether it’s social media posts, fitness trackers, or smartphone geotags, the breadcrumbs we leave behind are being watched, collected, and potentially, weaponized. 

A member of the US Secret Service Counter Assault Team (CAT) is seen wearing an Apple Watch at the capital.

For those in sensitive NatSec positions, especially those responsible for the security of heads of state, discipline in the digital domain is no longer optional. Apps like Strava are designed to promote community and accountability, but they operate on the assumption that users are in control of their privacy settings and understand the implications of sharing location-based data. 

The fact that these protective specialists, presumably highly trained professionals, continued to post open location data for over a year suggests a deeper cultural issue that permeates military forces around the globe, including the United States. It is not just a failure of the individual, but of the systems in place to train, monitor, and enforce secure digital behavior.

The Swedish case serves as another stark warning to other governments. If you are not training your personnel in digital counterintelligence, you are already behind. 

At Watches of Espionage, we often say that a watch can tell more than just time. In this case, it tells the bad guys where you are. Remember, you can’t hack a Seiko.

If you enjoyed this article, please consider signing up for our weekly free newsletter for further updates HERE.

Read Next: Dear Mr. Vice President, Please Take Off Your Apple Watch