Garmin Users Furious as Ransomware Freezes Firm

If you have a Garmin IoT thing, it’s probably fairly useless right now. That’s because the company is paralyzed after a ransomware attack.

Or, at least, that’s what Garmin employees say. The official line is that everything’s down for maintenance—nothing to see here, move along.

Yeah, right. And what about professions such as aviation and trucking—who can’t exist without Garmin helping them comply with regulations? In today’s SB Blogwatch, we stand still.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Violating sausages with 250 volts.

Where Was I?

It started with reports such as this, from Andrew Martonik—“Garmin dealing with massive service outage”:

 If you’re having trouble syncing your phone with your Garmin smartwatch, it’s not your fault. Garmin Connect has been suffering an outage that has stretched on for several hours.

At first, the company tried to brush it as a maintenance issue that was being quickly addressed. As the hours stretched on, it eventually admitted it was suffering an outage that affected almost every consumer-facing area, including its app [and] site. … The outage is also keeping its forums and customer service offline.

Suspicious much? Catalin Cimpanu cracks the code—“ransomware attack”:

 The company is currently planning a multi-day maintenance window to deal with the attack’s aftermath, which includes shutting down its official website, the Garmin Connect user data-syncing service, Garmin’s aviation database services … some production lines in Asia [and] its call centers, leaving the company in the situation of being unable to answer calls, emails, and online chats sent by users.

Pilots have told [me] they haven’t been able to download a version of Garmin’s aviation database on their Garmin airplane navigational systems. Pilots need to run an up-to-date version of this database on their navigation devices as an FAA requirement.

It also remains unclear if any customer data has been lost or stolen. … Over the past several months, ransomware gangs have modified their modus operandi to also include data theft besides file encryption.

A Garmin spokesperson declined to confirm that the outage was caused by a ransomware attack. [But] several Garmin employees took to social media to share details … calling it a ransomware attack—[some] attributed the incident to a new strain of ransomware that appeared earlier this year, called WastedLocker.

Trouble in Taiwan? 黃彥棻 is lost in translation—“Garmin is suspected of being attacked by ransomware”:

 Garmin (Taiwan International Avionics), a well-known GPS and wearable device manufacturer in Taiwan, is suspected of being hacked. The IT department sent a notice to various departments in Taiwan stating that internal IT servers and databases … were attacked by a virus … and production lines were also suspended.

Some users of Garmin wearable devices said … some historical data of physiological information stored in their wearable device disappeared. Users are worried about whether there is a risk of leakage of relevant sensitive information.

It records a lot of personal, sensitive physiological information and exercise data from wearable devices. … There is a lot of uncertainty regarding the extent to which Garmin implements the protection of its sensitive personal data.

They are the egg men. I am the walrus01: [You’re fired—Ed.]

 Two weeks ago I posted that I was suspicious of using ‘cloud’ based fitness data aggregation systems. … In this case I hate to be proven right

There’s lots of road cyclists out there with $750 useless watches now. I can tell you that after this event the odds of me ever purchasing a Garmin device that relies on anything ‘cloud’ based have even further decreased.

[Given] the very lengthy downtime, it really sounds like Garmin’s network was owned quite thoroughly. … How can anybody have any degree of trust that all of their previously uploaded data has not been stolen?

Is there some group out there now in possession of hundreds of thousands of .gpx files with detailed tracking points of peoples’ residences … and what times of the day they’re usually away from home? Nobody knows.

Scary. And this Anonymous Coward only has sweary schadenfreude:

 I deleted my Garmin account about five years when it was apparent that Garmin had absolutely no interest in allowing me to transfer and store my [data] locally. I contacted them multiple times regarding privacy concerns over them harvesting activity data, but they didn’t give a ****.

All I can say now is too bad—and **** you Garmin. You reap what you sow.

But sbrbrad has nothing but good things to say about the unfortunate company:

 When they couldn’t fix my 2–3 year old watch, they just had me mail it in and they sent me a refurb’ed replacement. Nothing but good experiences over here.

Consumer IoT services are one thing, but what are the professional implications? fdragon breathes ffire:

 Software for Air is down. This is going to have the effect of breaking the ability to get accurate data needed to file a flight plan. … This could result in … grounding of a number of flights for the duration.

Truck Electronic Records Keeping, used by long haul truck driving is likely affected. … Depending on jurisdiction, and cargo, this could result in the trucks having to be halted for the duration as they would not be able to provide proof of compliance.

Which causes civil_engineer to be uncivil:

 Oh man. I was mildly amused that people couldn’t access their fitness history. I just tried to … update my aircraft’s aviation databases, and this **** just got real.

My airplane is grounded. … I pay Garmin $865/year for subscription. There are thousands of aircraft in the same predicament.

When will this end? fengilitious has a clue:

 This ends when executives realise that IT is no longer optional. You need quality, well paid IT professionals.

Companies that have a catastrophic data loss are typically dead in the water within 3 years.

Meanwhile, although Lio’s tongue is firmly in their cheek, this is what our world has come to:

 I do wonder if my ride this morning actually happened because it’s not on Strava.

And Finally:

Clive had me at, “Expose some fresh sausage.”

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Mabel Amber (via Pixabay)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 452 posts and counting.See all posts by richi