That article is awful. Usually Vice have a much better standard.

Nowhere does it point out exactly what they are not doing to protect themselves. It just makes a blanket statement, a click grabbing headline.

The article offers no new information, and no fact apart from what we know - it was a ransomwear attack from a well known group that are one of the most sophisticated in the world.

It doesn't say what user data was leaked, if any.

It doesn't say how the breach occurred.

Poor journalism.

From the article:

"The attack, which encrypted much of Garmin’s data, demonstrates that companies that collect and use highly sensitive GPS, health, and fitness data are targets for hackers and that Garmin—one of the giants in this space—did not take cybersecurity seriously."

They offer nothing to back this up, and it's a powerful statement. They're accusing Garmin of not taking it seriously, but with no details on what they did or didn't do. Meanwhile it could have been the result of a 0 day threat; a brand new vulnerability that the people responsible for IT security couldn't have known about or protected against.


This article was written to trash Garmin, capitalize on the outrage and nothing else. Very poor journalism.

Ditto above-- terrible article. The author has no clue what actually happened, yet he immediately concludes Garmin "did not take cybersecurity seriously." He has no basis for that statement. These attacks are extremely clever, and getting hit is not synonymous with not taking it seriously.

I have clients asking me about security specifically because of this, and we are redesigning new protocols. They have, and are taking it very seriously, but that will not stop a hit. The problem in the world, is that many businesses simply do not know what to do and do not have the resources to stay ahead of a very creative bunch of cyber attackers.

I hear you, l didn't write the article but it looks like garmin is releasing very little info to clarify what actually happened.

Clearly these are some clever hackers and they obviously have more resources at their disposal than massive garmin, or so it seems.

---

Advanced Aero TopTube Storage for Road, Gravel, & Tri...ZeroSlip & Direct-mount, made in the USA.
DarkSpeedWorks.com.....Reviews.....Insta.....Facebook
--

Damnit now some Chinese hacker has access to my secret training plan to break 1:20 for the half marathon.

They very well might not be releasing anything because if it’s an unknown vulnerability, any agency working on the hack may be trying to get that out to end users of the vulnerability.

This.. the data isn't valuable, the ransome money is.. I suspect Garmin paid up. Breaking the encryption in just four days would be remarkable.

Gasp! Are the bad guys going to share my weight and age!? This is NOT okay. Everybody knows that is super secret info.

---

Hillary Trout
San Luis Obispo, CA

Your trip is short. Make the most of it.
https://www.slogoing.net/

I would not expect Garmin to release anything significant while in the throes of analysis and restoration. They probably have not even completed their own internal post-mortem of what happened and what failed. And, they are probably frenetically working to re-engineer their infrastructure so that this cannot be repeated.

To your second point, getting hit and encrypted is not a huge sign of failure. An active group of hackers have the potential to out-clever most organizations. But, I am curious why Garmin's backup strategy failed. Something went more wrong than they had anticipated which killed a fast recovery. This is what I want to learn about.

Or, it all could have worked perfectly. Garmin could easily have fully restored its infrastructure from backup from the start, and then spent the next few days hardening their infrastructure and testing before switching it back online to users.

No, they are going to get your weight and height, then hold you ransom when your garmin data does not match your zwift data....
or group ride ransom "I have not been riding a lot" "today is just an easy day" OH REALLY???? your data says otherwise!

I know this is a joke, but there is a shit load of data that these devices are pulling right now. If someone can hack into garmin I can guarantee they can find trends in the data that would be useful. Ignoring if they got user names and passwords or linked user names and passwords, there is also garmin pay data. You can pull out of the data when people aren’t home and gone for work or working out since some people are very consistent doing that. That also doesn’t include aviation data, but until they release what if anything was taken it’s hard to know.

Most people start their activity from their driveway. The Garmin data is going to show exactly where everyone lives. If you use your real name as your login then they know who you are and where you live.

If you exercise on a pattern, like most of us, then they also know when the house is empty and about how long it will be that way.

It isn't ground breaking information like your credit card or social security number, but it could be used for bad things if you fit a certain set of parameters.

---

"...the street finds its own uses for things"

You are doing it wrong if there is anything of value left in the house when you left and went for a bike ride

Except if

you live in an apartment complex;

you don't live alone;

you live in an urban city environment; or

probably other scenarios I can't think of at the moment.

Of course this isn't something I'm too worried about since I don't use Garmin.

Not sure anyone would pay for that information from Russian hackers though, since you could go out on Strava and get it for free. Perhaps not in bulk, but you could easily pick a high end neighborhood and find it.

I have no doubt there is some info out there that could be a problem, but I’m just not sure my address is one of them. If someone really wanted to break into my (or virtually anyone’s) house, they could. You don’t need to hack Garmin for that my biking and running habits to acquire such info.

The randsomeware guys will send your swim route data to the hungry sharks in the vicinity of your open water swims. The sharks just care about your swim route, swim speed, and how much of a meal they will get. Given that you swim too fast for them and there is not much meat there to eat, I think after they pay the randsomeware guys for all your data, the sharks will just give up. Just keep swimming fast!!!

Yup, me too.

---

Advanced Aero TopTube Storage for Road, Gravel, & Tri...ZeroSlip & Direct-mount, made in the USA.
DarkSpeedWorks.com.....Reviews.....Insta.....Facebook
--

Yes this is the right thing to do.
They are probably still piecing together their own internal investigation and tracing the breadcrumbs. It takes several days if not a week or more to come up with a plan of action to address the issues. Almost all of the plans will be multi-week/month implementations.
Releasing any details will expose them to the same vulnerability again from other attackers.


Getting hit by itself is not a bad thing. Cyber security (unlike what some political leader says - cyber is really easy my son is really good at computers) is incredibly hard. There is a lot of value in security through obscurity and it is nigh impossible to prevent attacks. You would be surprised how many probes/ attacks happen on an hourly basis on some of the big names that we all know and we hardly ever read about those.

That is a good one !

---

Advanced Aero TopTube Storage for Road, Gravel, & Tri...ZeroSlip & Direct-mount, made in the USA.
DarkSpeedWorks.com.....Reviews.....Insta.....Facebook
--

You are correct, and I have never figured out why people use Strava to begin with, since that "social network of sharing" thing is all that separates it from a platform like Connect.

I'm not a privacy weenie like some people, but I keep my Connect account private.

---

"...the street finds its own uses for things"

I'm liking your logic here, but I found a major flaw in it... I can only ride one bike at a time, so there is always at least one of my most valuable items left behind... n+1 (or 2, 3,.....)

^^^^This.

The Garmin Pay CC data (assuming it wasn't well encrypted) can be sold on the dark web. Also, if hackers have the email addresses and passwords for users they can quickly find the subset that use the same password for Garmin as for their email (if you are in this group, change your email passwords asap)....then they have email access (to those that aren't 2FA). With email access it's easy to see what other accounts you have (banks, credit cards, etc.) and go through the "forgot password" resets on those.

Personally I've deleted Connect off my phone for now. I'm waiting for verification that no malicious updates were pushed while the hackers had access inside Garmin. Right now we know that it was a ransomware attack, Garmin got the decryption key but claims they didn't "directly" pay a ransom for it (interesting wording). We don't know if any data was taken, or if any other compromises were made to their systems. Taking a wait and see on this until we have a fuller picture. For now I can record my rides on the Wahoo phone app and upload to Strava.

---

ECMGN Therapy Silicon Valley:
Depression, Neurocognitive problems, Dementias (Testing and Evaluation), Trauma and PTSD, Traumatic Brain Injury (TBI)

Wherein does it demonstrate that Garmin doesn't take their security seriously and they don't protect it? The fact that we're mostly back online with Connect in less than a week shows that they have significant capabilities to regain control of their network.

---

Washed up footy player turned Triathlete.