The Garmin Ransomware Hack Is Horrifying

The hack reveals that fitness tracking companies are vulnerable troves of sensitive data and aren't taking your privacy seriously.
July 28, 2020, 6:18pm
Screen Shot 2020-07-28 at 12
Image: Garmin

The Garmin ransomware attack that took down the GPS company’s fitness tracking apps, customer service infrastructure, and most of its services, was a devastating attack that should worry anyone who uses a smartwatch or other wearables.

The attack, which encrypted much of Garmin’s data, demonstrates that companies that collect and use highly sensitive GPS, health, and fitness data are targets for hackers and that Garmin—one of the giants in this space—did not take cybersecurity seriously. Garmin’s “Connect” app was down for days. The company has not been terribly forthcoming about the hack or what was affected, offering only a vague statement. Garmin devices are used by people to track their workouts, but are also used by the U.S. military and by boat captains who rely on the company’s technology to avoid being lost at sea, for example. There is currently no indication that boat or military systems were affected.

Still, the hack is devastating. 

“For consumers, Garmin clearly represents a repository of really detailed information. You turn on your thing when you leave your residence, and you turn it off when you get home. Sometimes, you take a jog in the middle of the day and you're trying to collect steps at work. These are all things that speak of who you are and what you do and where you live, and can all be quickly turned into identifying information,” John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto, told Motherboard.

“A couple of years ago, I coined the term fit leaking to describe what happens when fitness tracking is used for intelligence gathering,” he added. 

While most Garmin smartwatches do not connect to the internet natively and store workout information on the devices themselves, the Garmin Connect app does not allow users to transfer their workout information to the app without storing it on Garmin’s servers. Garmin allows users to “Opt Out” of sharing workout information with the company, but opting out makes the app essentially useless: “our apps and websites can still be used to manage device settings and notifications [if you opt out],” the company says, but no workout data will be displayed.

In 2018, the Guardian reported that fitness tracking app Strava gave away the location of secret U.S. army bases by releasing a data visualization map that detailed the activity of Strava users. The data visualization map could be used to identify U.S. bases by mapping the activity of military personnel using the app, which became apparent in places like Afghanistan and Syria where it appeared the app was almost exclusively used by those in the military.

Scott-Railton also noted that while many consumers may know Garmin for its wearable smartwatches and sports and fitness tracking systems, the company also has a full fleet of navigational products which are used both in marine navigation and aviation. It is not clear to what extent these were affected in the attack. The BBC reported that pilots who use flyGarmin, which is used for navigational support, were unable to download up-to-date aviation databases.

“What's interesting is that this is one of those cases where something that's actually really critical to safety also has a consumer dimension,” Scott-Railton said.

When asked for comment, a spokesperson for Garmin sent Motherboard a link to a press release published on the company’s website.

“We immediately began to assess the nature of the attack and started remediation,” the company said in its press release. “We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”

Some of the services the company did list as affected include website functions, customer support, customer facing applications, and company communications. The company said affected systems are being restored and should return to normal over the next few days.

Though not confirmed by Garmin, reports suggest the company was the victim of ransomware called WastedLocker, which the cyber security software provider Symantec, a division of Broadcom, said had been deployed against dozens of U.S. companies.

“The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom,” Symantec wrote in a recent blog post.

Scott-Railton, who has been following the Garmin incident as it unfolded, said he expects cyberattacks on companies to continue.

“I think everyone would tell you that the tempo of attacks is going up, and that this is also a period of time where IT teams are uniquely stretched, and large chunks of the workforce are operating remotely and based on VPN, and that just massively expands the threat surface for your organization,” Scott-Railton said. “Especially when it comes to things like attacks that focus on targeting specific users.”