How Garmin (and Ransomware) Destroyed my Dream

Six days. It’s been six days and Type A fitness junkies are losing their minds. This is how long Garmin Connect (along with a bevy of other Garmin services) has been down. I noticed it first on Friday when I tried to upload a bike ride to Garmin Connect and was greeted with a large yellow notice stating “Sorry, we’re down for maintenance. Check back shortly.” A quick search online confirms an outage was first reported by Garmin on Thursday, July 23 at 8:35AM via Twitter. Today is Tuesday the 28th and here is Garmin’s Status Board in all its glory—

Garmin System Status as of 7/28/2020. No bueno
Garmin System Status as of 7/28/2020. No bueno

You get the idea. Things are “No Bueno” for Garmin right now.

Background

Garmin is a major multinational manufacturer of GPS devices, including handheld and wearable units. They are a publicly traded company and posted $3.785 billion in revenue for 2019. Personal consumers, such as yours truly, buy Garmin watches to track activities and upload them via Garmin Connect, their online service that takes the GPS data, analyzes it, provides feedback on your activity, level of effort, calories burned, average speed, and allows 3rd party apps like Strava to read it as well.

It's an existential crisis, who am I if not my data?
It’s an existential crisis, who am I if not my data?

The outage started last Thursday, and Initial reports started trickling in by Friday that Garmin had been hit with a ransomware attack. Official updates from Garmin have been non-existent, and Garmin’s official press release confirming the attack only came out on Monday, a whole five days after the outage began. They appear to be taking the “starve them of information and they will stop reporting about our horrible situation” approach.

So, we must turn to the Internet, the land where everyone has the inside scoop and inaccuracies abound. Keep in mind, little to none of this information has been officially verified by Garmin so take it with a grain of salt. I’ve included references at the end of the post for anyone interested.

  1. Garmin was allegedly infected with the WastedLocker ransomware, which is believed to have been developed by Evil Corp. They were the target of US Treasury sanctions in December of last year, making it illegal for US companies to engage in transactions with them, which may include ransom payments.
  2. Services impacted include the majority of their online apps including Garmin Connect, Strava integration, FlyGarmin navigation services, company call centers, and manufacturing operations in Taiwan. This was a worldwide outage for Garmin.
  3. Ransom amount was reported at $10 million dollars.
  4. Insiders report onsite backups were encrypted as well.
  5. They are reports that the ransom was paid by Garmin, but through a third party. This may be in violation of US sanctions placed on Evil Corp., and one of the reasons a company may look to a third party to facilitate the transaction.
  6. Garmin online services started slowly coming online on Monday July 28th, but as of Tuesday are still not fully functioning. This could be due to a significant backlog of queued up data being sent in from Garmin devices.
All that queued up data is coming for you Garmin.
All that queued up data is coming for you Garmin.

Takeaway

  • Response to critical breaches like this is almost as important as preventing them. Internal legal teams will try to control the flow and content of released information to avoid legal fallout, potential fines, and other business nasties. Judging by the comments on Reddit in the r/Garmin sub, customers are generally displeased with the lack of communication during the incident. Companies need to practice Incident Response like they practice Disaster Recovery, so they are prepared when the real thing happens. Cloudflare’s response to a similar outage last year is generally considered to be well done, and can serve as a model for other organizations.
  • It was reported that Garmin’s onsite backups were encrypted as well. This is a typical first step for ransomware attackers, as if they can control and subsequently remove system recovery as an option, companies may be more inclined to pay the ransom. Typical defense against this includes isolating your backup assets from the rest of the environment, not joining Active Directory (if Windows hosts), and leveraging immutable backup technology.
  • Time is of the essence. Working in IT we understand that even the best maintained and secure system can still be breached. As they say, it’s not if you get hacked, but when. No connected system is 100% secure. However, consumer confidence drops with every passing day when they can’t use the service. Incidents and outages happen, yes, but it should be the company’s priority to return to service as quick as possible. Is a six-day outage enough to harm Garmin’s reputation? Hard to say (and the market seems to think not as their stock price has mostly rebounded) but I think if this went on for another month, Garmin may be waking up to a world with a significantly smaller customer base.
Garmin Stock Price during the outage.
Garmin Stock Price during the outage.

Personal Impact

It’s been awful I have to admit. I need feedback from my rides to let me know if my fitness is improving (rarely), consistent, or regressing (bingo!). Ransomware (and Garmin’s slow response) has robbed me of the ability to chart my progress as a fledgling weekend warrior. I had to resort to the unimaginable – plugging my watch directly into a PC to upload the data to Strava. We have finally hit bottom, team.

Welcome to 2010 again.
Welcome to 2010 again.

Leave a Reply

Close Menu