Lessons Learned From The Garmin Cyberattack

In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional lives of many and have serious business consequences, but perhaps one reason for the lack of urgency society seems to show on the issue is that these tend to be fairly low visibility events for the average person. Even something like the Target or Capital One breaches happened at a remove for most people in the world, with little impact on our daily lives.

Cybersecurity Comes Home

All that changed for me last week when Garmin was hit by a cyberattack. As a competitive racing cyclist, I rely on data to guide my training, and use a Garmin Edge computer to get my stats. I use the Garmin Connect app to send my ride data to Strava to brag to my friends and to Training Peaks for my coach to review my performance. Normally at the end of my ride the data would automatically upload to Garmin Connect over Bluetooth, and then bridge to the other apps. It’s so seamless I never think about it...at least I didn’t until the ride failed to upload. Not only did it fail to upload, the Connect app wouldn’t even start. I found myself unable to log into my account online, and the website was down. Turning to support forums, and eventually Twitter, it looked like Garmin was having an outage that was throwing the entire fitness world into a meltdown. Afterall, how can you claim Alpha Dog status on that last run or ride if there's no data to prove it?

Initially I shrugged it off, and figured it would be back up shortly. When I tried again that night however, Connect was still down, and rumors were swirling that Garmin had been taken down by a ransomware attack that impacted websites, corporate email, apps, and even call centers. Not only was the fitness business impacted, but so too were their other products. Some car navigation units were reduced to a useless bricks, and more worryingly the flyGarmin units and Garmin Pilot App-- essential for aviation GPS navigation, were no longer able to update as required by the FAA, posing a serious danger to pilot and aircraft safety.

That night I started getting anxious thinking about how much data Garmin had on me. My name, email address, where I live, where I can be found at 7:00AM most mornings, who I ride with, and who my emergency contacts are. Even beyond that, my Garmin data is shared with at least 4 other apps I can think of off the top of my head, which contain even more data. Is that vital or even valuable info? Maybe not. But those feel like deeply personal details I didn’t want in the hands of bad actors. Were any of those account passwords shared? Could I disable the authentication on the partner app end, or did it have to be done on Connect? Even if Garmin pays the ransom, how did I know my data was safe? Had any data been altered and were their maps and GPS still trustworthy if they came back online?

The Security Perspective

Much of the cycling press has focused on the “how did this happen” part of the narrative. I’ve been around this industry long enough to know we’re probably never going to know the answer to that, nor should we. Rumor has it (although Garmin has not confirmed) that it was the WastedLocker ransomware, and the malicious actors demanded $10 million in ransom payments, placing Garmin in an impossible situation that is the stuff of CISO nightmares. Pay the ransom, release the data and make customers happy but face possible sanctions, or try and wait it out and overcome the situation, risking the ire of customers and the potential loss of all your data.

To me, what this incident shows is that unfortunately it’s not just banks or large corporations that can be the targets of these types of attacks, and companies like Garmin may face the most risk from cyberattacks in general, and ransomware in particular. Why? Because if you were under the impression Garmin is a hardware company (as I was), this incident should serve as a stark reminder that they are indeed a services company, and without those internet-connected services and the infrastructure that underlies them, the devices are just chunks of plastic. Any prolonged outage of service means consumers will just move on to a different product, or lose faith that their data will be secure going forward. Often these companies are dependent on a huge digital footprint to keep their business operating, with multiple cloud instances, databases, domains, and developers and their associated apps all over the world. It’s a huge attack surface that needs to be managed.

Attack Surface Management

So what exactly does attack surface mean, and what is attack surface management? In a nutshell, it’s looking at the entirety of your digital footprint and viewing it as a perimeter or surface that bad actors can probe for weaknesses. When a weakness or vulnerability is found, that’s usually their way in. Nobody can say for sure, but this could very well be what happened with Garmin. It could have been something as simple as a misconfigured app in a cloud service, or a vulnerable domain address that had been sitting long forgotten.

Back in the day managing your attack surface used to be simple, as your attack surface was usually the four walls of your office space. The servers sat in the basement, the endpoints sat on the desks, and the firewall sat between your business and the internet. Clearly this is no longer the case, as the attack surface has expanded rapidly, and may no longer even be under management by the security team. With everyone turning to the cloud for everything, regional offices setting up their own IT stacks and spinning up new domains, mergers and acquisitions bringing in new domains and assets that may not be properly cataloged or inventoried...there’s a lot to keep track of, which means there are a lot of vulnerability points in the attack surface. Working from Home in the age of COVID has added an even deeper layer of risk, with remote workers connecting to WiFi networks that according to recent Bitsight data are some of the dirtiest out there when it comes to malware.

The best way to approach attack surface management is to focus on visibility. After all, you can’t secure what you can’t see. Asset discovery is one of the most important investments security teams can invest in-- after all investing in all the best defensive security tech out there is useless if you don’t know where or how best to deploy it. When you get full visibility into your attack surface, you can see not only the status of the stuff you know you have-- which is still important, but you can also get crucial visibility into the stuff you don’t know you have. Whether it’s shadow IT or things that just fell through the cracks over the years, seeing the entire attack surface is crucial for putting together a proper security program that can focus on the best remediation options. It could be that you need more training on the shared responsibility model, or need to invest in better cloud app firewalls, or even to just hunt down and retire old assets that are no longer necessary.

As I said above, we’ll never truly know the cause of the Garmin breach, but such a high profile targeting of a consumer-services company should serve as notice to CISO’s and business leaders everywhere that it’s time to start paying your attack surface the attention it deserves.

Wrapping It Up

In retrospect, I don’t think I’ve ever thought about how little collision there’s been between my personal and professional life. That’s something I don’t think too many security pro’s really take time to fully appreciate. But in this case, unfortunately the very real danger faced by modern businesses with extensive attack surfaces was brought home. I should feel fortunate that it wasn’t my bank that was compromised, and Garmin had no payment information on record for me. But at the same time, the impact on many consumers has made oh so very material, and should reinforce the urgency with which companies of all sizes and in all industries need to invest in security and managing their attack surface.