Scam Watcheroo's World Record 1 Mile Run in 3 min 30 sec

Okay, so a Strava file uploaded after-the-event can be massaged before uploading, or apparently, even created on the computer from scratch, before uploading. But what about real-time upload of GPS/Garmin data, while the event is in progress (or appears to be)? Can that be massaged real-time? It would require a special hack?

Real time GPS data from a device like the Garmin Inreach can also be spoofed because there is an open API for any program to send back the GPS coordinates without any type of chain of trust. It's essentially just a few coordinate numbers that get sent.

After I get the Strava spoofing working for my world record run across America, I will give a shot at spoofing real time GPS data if I can sign up for one of this accounts.

This puts into question that guy who recently broke the trans US record.

Thanks for demonstrating this being done instead of merely saying that it can be done.

Someone on the Amy 520 mile thread was challenging someone to create a 2 hr something route of the London Marathon. I have always assumed that it would be quite simple to fudge the data, so I gave it a go, but never posted it to the forum because I did not want to spend any more time making it truly authentic. It was mainly to satisfy my own curiosity.

I took the gps coordinates for the London Marathon route from one of the map my run websites since I've never set foot in London. Once I had that, generating the .gpx file was easy as pie. It really is just a text file with gps coordinates. I used a library function to calculate the distance between gps points and manipulated the time between points to achieve the desired speed. That really was it.

So then I was curious about generating an actual .fit file. The file is binary, but the specs and sample code are all available online. I used legitimate .fit files as a template and added my own bogus gps points and speed. I did not generate a cadence or hr track, but there is not anything special about those tracks that would require anything more complicated than the speed calculations.

Both of the files uploaded successfully to Garmin Connect, even for a future date!

So, would the .fit file pass muster when examined by a Garmin engineer? I'm going to say NO. Their distance calculations did not match mine exactly, and there are many different algorithms for calculating those distances. Apparently the Garmin algorithm is proprietary, or uses a different level of precision than the library I was using, etc. It's also possible that they have hidden Easter eggs in the file that I would not be privy to.

So, all that being said...the gps files could easily be created to fool anyone who does not have specific knowledge of any proprietary information Garmin encodes in the .fit file.

Could you upload your 2 hour London Marathon world record run so we can bask in its glory?

Scam_Watcheroo wrote:

Could you upload your 2 hour London Marathon world record run so we can bask in its glory?

The original request was to set the file for a future date, so I ran my program again and set the date to 10/1/17. Interesting thing...I swear that when I uploaded it to Garmin Connect a couple of months ago, it actually took the future date! This time, it forced the run to today's date (9/25/17), which implies that Garmin added a little reality check in there. Still, the stellar run is intact. Let me know if it works for your Strava. I'm not on that service. I could set it for an earlier date if it doesn't work for some reason.

Here is a temporary link to the file I generated:

I forgot about this, but I did add tracks for HR and elevation along with gps and speed. Yes, you will see that the speed and HR are too steady to be real, but, trust me, that's irrelevant. You could apply any type of formula you want to make the numbers look more realistic.

Garmin CIQ accepted the file but it didn't appear on Strava; I suspect it may do so on the first October since it did transfer to training peaks with that date. I was slightly disappointed to see it is a 2.35 effort - can you make a 2.00 version?

Strava loser wrote:

I was slightly disappointed to see it is a 2.35 effort - can you make a 2.00 version?

2:00 is too slow for a marathon. Make it a 1:59.

Scam_Watcheroo wrote:

Strava loser wrote:

I was slightly disappointed to see it is a 2.35 effort - can you make a 2.00 version?

2:00 is too slow for a marathon. Make it a 1:59.

I happen to agree! 1:59 will definitely impress your friends, so here you go. London in 1:59, using yesterday's date:

Nice. Very nice. LRC hackers have discovered pre 1985 hacking capabilities.

Flounder wrote:

Nice. Very nice. LRC hackers have discovered pre 1985 hacking capabilities.

Found Footage of Scam_Watcheroo and the other LRCers at work:

ScamMaster 2000 wrote:

Scam_Watcheroo wrote:

2:00 is too slow for a marathon. Make it a 1:59.

I happen to agree! 1:59 will definitely impress your friends, so here you go. London in 1:59, using yesterday's date:

I've uploaded your file to my Strava to claim my 1:59 world record marathon. Thanks, coach!

Sadly it seems my fake Garmin didn't record cadence and the heart rate could use a bit of random number noise.

Pace could also do with a touch of randomization and adjustment for gradient.

Why did you make your Strava private?

Strava loser wrote:

Why did you make your Strava private?

I've set it to public now. It's suppose to be a spoof account so not much value in having it public.

Strava loser wrote:

Pace could also do with a touch of randomization and adjustment for gradient.

Yes, to make this track appear 100% authentic, the pace would need to be adjusted for hills and randomized a little bit for level ground. I'd have to look at some of my "real" runs to get a feel for how much deviation occurs with pacing on level ground and on hills, and then apply those findings to the speeds between points. This could all be done automatically once a formula is determined.

Same thing with heart rate. It should fluctuate a bit, but there should be a steady increase over the duration of the run, plus moments where it goes high when going up a hill or increasing speed. I'd probably determine some level of "effort" which would be a combination of speed and elevation change and use that to determine how to adjust the hr for each data point.

My watch (Garmin 910xt) does not provide cadence data in its .fit files, so that's why I didn't include it in this file. However, with a footpod, I am able to record cadence. I could add that into the file, but I didn't really see the point. I know in the other thread, people seemed to think that would be a difficult thing to fake, but it's actually just a number like the heart rate. For every gps point, you include a value that is the steps per minute. You can make that steps per minute value whatever you want and randomize it a little bit to avoid a disconcerting level of consistency.

For my purposes, the above files satisfied my curiosity that it was possible for me to spoof an entire run on a course that I have never run at all. Yes, I can think of several ways to make the data more authentic, and I am sure that I would if I were in the business of scamming people. If all of this talk of formulas does not convince you, then a rudimentary way to ensure data authenticity would be to ride the entire course on your bicycle. In that case, you'd have all of the appropriate GPS coordinates, and a heart rate and speed that would increase and decrease based on the terrain. You could then multiply the heart rate & speed by a factor, and completely fudge the cadence to whatever steps per minute you wanted.