The Garmin Ransomware Attack Is Much Bigger Than You Think

This Garmin ransomware attack is a huge deal. Sure the thing that people are talking about is that athletes who use their kit can’t upload and analyze their runs, rides, or anything else that they might have done for the last several days. But it’s much worse than that on multiple fronts. Let’s start with the fact that Garmin does more than just fitness gear. They do car SatNav systems, marine SatNav systems, and aviation SatNav systems. The latter has now become an issue based on this Reddit post:

As of right now the FAA has just grounded our small fleet of aircraft (won’t say which company) as we rely on Garmin aviation database on our navigational systems. We need to run an up-to-date version of this database (it’s a FAA requirement) and can’t comply. from r/Garmin

That’s not good. If aircraft get grounded, and aircraft fleet owners can’t make money, lawyers get called. And Garmin’s nightmare will go from bad to worse when those lawyers start to call Garmin HQ.

And there’s the fact that it appears that their top end smart watches that are preferred by runners seem to have developed issues since this outage has started:

Garmin’s smartwatch woes continue as GPS and run tracking for distance wasn’t available and devices such as the Fenix line were caught in a “saving” loop that required a reset. The same problem affects indoor activities even without GPS connections. 

At the moment, it’s unclear whether the GPS signal issues with the Garmin devices are related to the company’s ransomware attackand bungled handling of it, but your Sunday morning run won’t be quantified.

Bad as that those two things are, it’s actually worse than that.

Let’s say whomever launched this attack was in Garmin’s network for weeks, months, or years. They could have stolen all sorts of data from Garmin’s network. Be it intellectual property, like the designs for new products. Or your personal data. Such as your name, address, your email address, the name or names of your emergency contact info and their personal info. Not to mention all the location data from whatever activities you do. The personal info could be used to launch targeted phishing attacks that would be very convincing. The latter could be interesting for someone who wanted to learn more about you so that they could exploit you in some way.

Oh, it actually gets worse than that.

People have been saying why haven’t Garmin gotten things online yet. Those people would include me:

Then they put out a FAQ on Saturday that you can find here. My thoughts on that were as follows:

Now Garmin’s response to this from a PR perspective has been in a word, shambolic. They have done a horrible job of reassuring users and giving said users an incentive to stick with the brand and not defect to a competitor. But here’s the reality that even I need to remember. They likely could not share a whole lot with Garmin users in terms of detail. Possibly because they don’t know how bad this is. Possibly because law enforcement is involved and they told Garmin to keep quiet. Or possibly because lawyers are involved and they told Garmin to keep quiet. But let’s say that they don’t know how bad this is. That would mean that Garmin was and still is auditing the hell out of their systems to figure out if they can carve out and isolate the sections that have been affected by the ransomware, and checking over everything else to make sure that nothing is lying in wait to encrypt everything in sight. On top of that, they would need to audit their backups and make sure that they don’t have anything lying in wait by doing a test backup and looking for anything bad. That’s important because as I said earlier, if the bad actors were in the Garmin network for weeks, months, or years, those backups would be worthless. Which means that this outage will drag on for a very long time. As in weeks or perhaps longer. Unless of course Garmin pays the $10 million that the bad actors behind this want. Which they likely won’t. Or at least they shouldn’t.

At least Garmin is looking for a Cyber Security Engineer to make sure that this doesn’t happen again. Though that’s cold comfort to Garmin users at the moment.

One final point, if you read their FAQ which you can find here, it says this among other things:

Was my data impacted as a result of the outage?

Garmin has no indication that this outage has affected your data, including activity, payment or other personal information.

Having “no indication” that users data was affected is not a definitive statement. That seems to indicate to me that Garmin must think that user data might have been affected in some way. That’s not good if you’re a Garmin user. And it may be enough to send you to a competitive product.

So this is a very bad situation for Garmin and for their customers. But as I type this, Garmin appears to be starting to get their Garmin Connect infrastructure online. So there may be light at the end of the tunnel for those who use Garmin products. But still, there’s a lot of questions that will need to be answered about this incident. And since Garmin is scheduled to report their quarterly results on Wednesday, and that reporting is usually accompanied with a Q&A session with key executives, I for one will be interested in what they have to say about this incident.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: