The IT Nerd

Garmin has just posted a news release admitting that it was a victim of a cyberattack. Here’s the relevant part:

Garmin Ltd., today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.

Well, this is better than what Garmin had been doing up until this point. Which is to not have that much communication with their customer base. In my testing with my Garmin Edge 830 cycling computer along with the Garmin Connect app I can confirm that some of the functionality is working. Specifically:

• I can see my activity history again in Garmin Connect. Though I am missing a cycling activity from Thursday that is thankfully present in Strava. Because, if it is not in Strava, it didn’t happen.
• Syncing from my Edge 830 isn’t working. None of the activities that I see in Garmin Connect isn’t syncing down to the Edge 830.
• There are still error messages in Garmin Connect saying that they are still down which isn’t a surprise as Garmin has made it clear that it will take days to fully bring things online.

The thing is that this will not likely keep people from asking questions about what happened, and more importantly what Garmin is going to do to make sure that this doesn’t happen again. I suspect that we might get those answers on Wednesday when Garmin releases their quarterly statement.

UPDATE: If you want to check the status of Garmin’s various services that are related to Garmin Connect, click here to see their status page.

This Garmin ransomware attack is a huge deal. Sure the thing that people are talking about is that athletes who use their kit can’t upload and analyze their runs, rides, or anything else that they might have done for the last several days. But it’s much worse than that on multiple fronts. Let’s start with the fact that Garmin does more than just fitness gear. They do car SatNav systems, marine SatNav systems, and aviation SatNav systems. The latter has now become an issue based on this Reddit post:

As of right now the FAA has just grounded our small fleet of aircraft (won’t say which company) as we rely on Garmin aviation database on our navigational systems. We need to run an up-to-date version of this database (it’s a FAA requirement) and can’t comply. from r/Garmin

That’s not good. If aircraft get grounded, and aircraft fleet owners can’t make money, lawyers get called. And Garmin’s nightmare will go from bad to worse when those lawyers start to call Garmin HQ.

And there’s the fact that it appears that their top end smart watches that are preferred by runners seem to have developed issues since this outage has started:

Garmin’s smartwatch woes continue as GPS and run tracking for distance wasn’t available and devices such as the Fenix line were caught in a “saving” loop that required a reset. The same problem affects indoor activities even without GPS connections. 

At the moment, it’s unclear whether the GPS signal issues with the Garmin devices are related to the company’s ransomware attackand bungled handling of it, but your Sunday morning run won’t be quantified.

Bad as that those two things are, it’s actually worse than that.

Let’s say whomever launched this attack was in Garmin’s network for weeks, months, or years. They could have stolen all sorts of data from Garmin’s network. Be it intellectual property, like the designs for new products. Or your personal data. Such as your name, address, your email address, the name or names of your emergency contact info and their personal info. Not to mention all the location data from whatever activities you do. The personal info could be used to launch targeted phishing attacks that would be very convincing. The latter could be interesting for someone who wanted to learn more about you so that they could exploit you in some way.

Oh, it actually gets worse than that.

People have been saying why haven’t Garmin gotten things online yet. Those people would include me:

Then they put out a FAQ on Saturday that you can find here. My thoughts on that were as follows:

Now Garmin’s response to this from a PR perspective has been in a word, shambolic. They have done a horrible job of reassuring users and giving said users an incentive to stick with the brand and not defect to a competitor. But here’s the reality that even I need to remember. They likely could not share a whole lot with Garmin users in terms of detail. Possibly because they don’t know how bad this is. Possibly because law enforcement is involved and they told Garmin to keep quiet. Or possibly because lawyers are involved and they told Garmin to keep quiet. But let’s say that they don’t know how bad this is. That would mean that Garmin was and still is auditing the hell out of their systems to figure out if they can carve out and isolate the sections that have been affected by the ransomware, and checking over everything else to make sure that nothing is lying in wait to encrypt everything in sight. On top of that, they would need to audit their backups and make sure that they don’t have anything lying in wait by doing a test backup and looking for anything bad. That’s important because as I said earlier, if the bad actors were in the Garmin network for weeks, months, or years, those backups would be worthless. Which means that this outage will drag on for a very long time. As in weeks or perhaps longer. Unless of course Garmin pays the $10 million that the bad actors behind this want. Which they likely won’t. Or at least they shouldn’t.

At least Garmin is looking for a Cyber Security Engineer to make sure that this doesn’t happen again. Though that’s cold comfort to Garmin users at the moment.

One final point, if you read their FAQ which you can find here, it says this among other things:

Was my data impacted as a result of the outage?

Garmin has no indication that this outage has affected your data, including activity, payment or other personal information.

Having “no indication” that users data was affected is not a definitive statement. That seems to indicate to me that Garmin must think that user data might have been affected in some way. That’s not good if you’re a Garmin user. And it may be enough to send you to a competitive product.

So this is a very bad situation for Garmin and for their customers. But as I type this, Garmin appears to be starting to get their Garmin Connect infrastructure online. So there may be light at the end of the tunnel for those who use Garmin products. But still, there’s a lot of questions that will need to be answered about this incident. And since Garmin is scheduled to report their quarterly results on Wednesday, and that reporting is usually accompanied with a Q&A session with key executives, I for one will be interested in what they have to say about this incident.

Garmin has had an outage for the last few days that has taken down its call centers and more importantly has taken down the Garmin Connect service that allows their athletes to sync and analyze their efforts. Reportedly the cause of this outage is a ransomware attack. Specifically the “WastedLocker” ransomware. While Garmin has unsurprisingly not confirmed this, many people who are in a position to know have. And those same sources have told Forbes that the price to end this nightmare is $10 million:

The ransom note tells the recipient to email one of two email addresses to “get a price for your data”. That price, Garmin’s sources have told BleepingComputer, is $10 million.

Now I am not an advocate of paying ransoms as the best way to protect yourself is to back up regularly and use those backups to rescue you from a situation like this. But it’s more complicated for Garmin. If they don’t pay the ransom, they will end up facing more and more anger from their user base made up of athletes, drivers, and pilots. The latter could be serious as pilots need to download maps to allow them to fly safely. And they can’t at the moment. But it’s all bad for Garmin the longer this goes on.

Conversely, if they do pay the ransom…. Well….. That’s complicated because of who’s behind this ransomware attack. Here’s what Bleeping Computer had to say:

Evil Corp (aka the Dridex gang) is a Russian-based cybercriminal group active since at least 2007 known to be the ones behind Dridex malware and for using ransomware as part of their attacks including Locky ransomware and their own ransomware strain known as BitPaymer.

The U.S. Treasury Department sanctioned evil Corp gang in December 2019 after being charged for using Dridex to cause more than $100 million in financial damages.

Due to this, it is a tricky situation for Garmin if they want to pay the ransom as they would potentially be violating United States sanctions.

So you have to wonder what Garmin is going to do as the clock is ticking, the money they are losing is growing, and the anger from their user base is growing. That’s not a great place to be if you’re Garmin.