back to article Garmin staggers back to its feet: Aviation systems seem to be lagging, though. Here's why

Garmin services appear to be in the process of being restored after the company was reportedly hit with ransomware, though its aviation services remain offline at the time of writing. The company, which makes various navigational and location-tracking services and products, abruptly fell over last week, and continued to stay …

  1. tip pc Silver badge

    My weekend rides synced to Strava this morning

    My weekend rides synced to strava etc, just awaiting relive to ping me. Connect website let me login but then showed the holding page.

    I really enjoy Garmin gear, I hope they get through this stronger.

    It will make interesting reading as to how they got out of this.

    1. Korev Silver badge

      Re: My weekend rides synced to Strava this morning

      >It will make interesting reading as to how they got out of this.

      I really, really hope they didn't pay the (rumoured) ransom demand...

      1. Blazde

        Re: My weekend rides synced to Strava this morning

        Regarding rumours of paying they told Sky they "[do] not comment on rumour and speculation", aka: "yes, we paid".

        1. logicalextreme Bronze badge

          Re: My weekend rides synced to Strava this morning

          And the implication of that, of course, is that they either didn't have backups or their restore procedure was so hinky that it would've cost over $10m to invoke it…

          1. Anonymous Coward
            Anonymous Coward

            Re: My weekend rides synced to Strava this morning

            Or that the ransomeware got into their backups, too

            Obviously, if you could code the ransomeware so that it transparently encrpyted the files (i.e. decrypted on access so no-one notices) for say 3 months with the backup software being served encrypted copies only (i.e. make sure all the backups are encrypted, but also that no-one notices that's what's going on), that'd be the gold standard of stuffing-over your victim. No idea how possible that would be though.

            1. tip pc Silver badge

              Re: My weekend rides synced to Strava this morning

              surely someone would have needed something off a backup in the 3 months so someone should have noted the backups being unencryptable.

              Maybe everyone should test a sample restore once a week as an early warning of ransomware. Would be easy to search backup logs for changed extensions though

              1. Symon Silver badge
                Boffin

                Re: My weekend rides synced to Strava this morning

                rdiff-backup is your man.

                https://linux.die.net/man/1/rdiff-backup

            2. Peter2 Silver badge

              Re: My weekend rides synced to Strava this morning

              It wouldn't be possible since the malware would then need to be installed on every single computer in the firm since otherwise it couldn't decrypt the files transparently.

              And the lockware thing doesn't take out any organisation that takes either security or backups seriously.

              In order to get seriously hit with malware at the moment, you have to:-

              1) Allow your endpoints to run any executable file received. (which is a fail even by the tremendously rudimentary UK Cyber Essentials standard; and preventing this costs zero given that it can be done using just GPO's)

              2) You have to be allowing your endpoints to access any number of files on the network with no access monitoring, controls or restrictions. Users don't tend to legitimately start accessing every file on a network share unless they are copying them all to a USB stick or similar, and so Data Loss Protection procedures should be flagging if somebody starts systematically reading (and altering) every single sodding files on a network share well before they finish doing it.

              3) You have to have no effective backups. The current fashion for online backups with no more than a single restore point because it's cheaper is obviously inadequate against almost almost any use case for backups beyond your office being burned down and staff accidentally deleting things.

              1. Anonymous Coward
                Anonymous Coward

                Re: My weekend rides synced to Strava this morning

                (which is a fail even by the tremendously rudimentary UK Cyber Essentials standard; and preventing this costs zero given that it can be done using just GPO's)

                Or you could be running Windows 7 Clients on a Windows 2000 (not a mistype) domain.

                Yes I've explained why that is bad, no they haven't listened. Anon for rather obvious reasons.

                1. sitta_europea

                  Re: My weekend rides synced to Strava this morning

                  "Or you could be running Windows 7 Clients on a Windows 2000 (not a mistype) domain.

                  Yes I've explained why that is bad, no they haven't listened. Anon for rather obvious reasons."

                  You're not the only one.

                  In 2016, the only reason they let me replace the Windows 2000 server was because it died.

                  1. Jan 0 Silver badge

                    Re: My weekend rides synced to Strava this morning

                    At what date did "Shadow Copy" enter Windows Server OSes? Shouldm't that have been in Garmin's DR plan?

                2. Peter2 Silver badge

                  Re: My weekend rides synced to Strava this morning

                  Oh my. And I thought I was hard done by having only just gotten shot of Server 2008.

                  My profoundest sympathies. I'd post you the 2008 discs and licenses, but alas I don't have anywhere near the number of CALS that you'd need. (and while you can do that in Europe, I don't think you can in the US...)

              2. cyberdemon
                Devil

                decrypt on access

                >It wouldn't be possible since the malware would then need to be installed on every single computer in the firm since otherwise it couldn't decrypt the files transparently.

                Wouldn't it still be possible if you have an infected fileserver?

                Especially one like we had at work - a bunch of Windows Server instances running under Hyper-V, on a big, monolithic host; with the Hyper-V host being the thing connected to a vast storage array on SAN, which is itself regularly backed up.

                If the Hyper-V host were infected, then you and your backups are toast. But can still decrypt-on-access until the backups are flushed

                This Hyper-V host had our domain controller, DNS server, various network drives, our Confluence internal wiki, JIRA, Bitbucket (GitHub style repository), Bamboo (CI/CD)..

            3. logicalextreme Bronze badge

              Re: My weekend rides synced to Strava this morning

              Ah yeah, sorry; I have a habit of meaning "offline backups" when I just say "backups". You (hopefully) learn early and safely that if you don't have tested offline backups, then you don't have backups :D

    2. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: My weekend rides synced to Strava this morning

        My garmin devices work just fine without connecting to the net, just better when I can use cloud services.

      2. Anonymous Coward
        Anonymous Coward

        Re: My weekend rides synced to Strava this morning

        What third party cloud sync service would that be?

        Who says that their websites such as Garmin Connect are “in the cloud”?

    3. tip pc Silver badge

      Re: My weekend rides synced to Strava this morning

      I should have added that my Garmin synced over WiFi while it was in standby.

  2. eldakka Silver badge
    Coat

    How is Garmin going to navigate it's way out of this?

    1. Magani
      Coat

      At the roundabout, turn...

      ...over $10 million.

  3. Zarno Bronze badge

    I can only hope they have ample cached waypoints to recover from.

    I am a bit miffed they no longer supported the original yellow eTrex for week rollover, the poor unit is stuck so far back in time it can't seem to get a good quick lock in clear skies anymore.

  4. Eclectic Man

    Still no sync

    Just tried to sync my Forerunner 645, no joy :o(

    1. Korev Silver badge

      Re: Still no sync

      My Forerunner 945 isn't syncing, but has synced some stuff from earlier on though...

  5. This post has been deleted by its author

  6. NordieBoy

    WiFi sync working

    Forerunner 935 just synced over WiFi.

    Connect app still not working.

  7. YetAnotherJoeBlow

    Hmmm

    I spend all week hacking on a program and I get a nice paycheck - they spend a week hacking on a program and get millions. It just makes you think does it not? My arsehole is too tight for prison work though.

    1. Mark192 Bronze badge

      Re: Hmmm

      The intermediary that handled the exchange of money and decryption key probably has the best effort vs reward ratio going here.

      1. tip pc Silver badge

        Re: Hmmm

        aka the broker

        could also be called insurrance

        keep an eye on the accounts for ~$10m for recovery services.

      2. logicalextreme Bronze badge

        Re: Hmmm

        They're always the fun ones in TV shows too. Think Mark Sheppard types.

  8. John Smith 19 Gold badge
    Devil

    "EvilCorp"

    Pretty much does what it says.

    Refreshingly un Orwellian.

    1. I am the liquor

      Re: "EvilCorp"

      They should've hired Allsafe.

      1. logicalextreme Bronze badge

        Re: "EvilCorp"

        We're torn between Allsafe and Doubleplus Trustgood at the moment.

  9. Korev Silver badge
    FAIL

    Ransom paid?

    This article suggests that Garmin paid up, I really hope that wasn’t the case as it’ll just lead to other places being hacked. If that happened then Garmin may have broken American law which could be “fun” for the Company.

  10. fpx
    Black Helicopters

    "We have no indication that any customer data [...] was accessed." They don't know how the hackers got in, yet they are perfectly certain that no customer data was lost. Right. You can be certain that the hackers downloaded a few terabytes over the past months. Now that they know that they can squeeze Garmin for $$$, blackmail over customer data may be next.

    I use my Garmin 235 offline only. While they keep nudging you to use Garmin Connect, I do not want to upload my tracking data to the Cloud. When I connect my 235 to a PC, it shows up as a disk drive, and I can copy the FIT files. Frustratingly, there do not seem to be any remaining offline tools to read and view them. There used to be SportsTracks, but their offline version 3 (which I still use) is end of life-d; they are nudging me to upgrade to their new cloud-based version.

    Black helicopter, because it's the most navigation-themed icon here.

    1. Anonymous Coward
      Anonymous Coward

      the ransom people encrypted the files at Garmin, there is no reason to offsite the data too. Either Garmin do a full restore from archives, or they pay for the unencrypt service from the hackers, intermediary's or specialist companies that deal with such matters.

      Smart criminals will pitch the unencrypt codes at under the cost of lost sales, business disruption and fees to firms to unencrypt, restore and clean up.

      If all your systems are automated you stand a better chance of recovering quickly. restoring 10+ systems (solutions spanning multiple servers each) from backups would likely cost more than the ransom for most firms as they just won't have the staff to do it quicker than getting the key and being up and running in a few days.

    2. storner
      Holmes

      "We have no indication ..." basically means "we didn't look for it".

      1. NightFox

        I think Garmin will have been through their systems looking at absolutely *everything* over the last few days before making the decision to bring it back online.

        The general assumption seems to be that because everything Garmin went down, everything had been infected by the ransomware, but I'd suggest it's more likely that once Garmin discovered the malware in one segment of their system, they pulled the plug on everything as a precaution and much of the recovery has involved ascertaining how far the infection had spread, and whether there were open routes of (re)infection between segments before turning them back on. The last thing they would want is to turn on the recovered system only for it to immediately get re-infected by their Building Management System that everyone had forgotten about.

      2. 0laf Silver badge
        FAIL

        The security of our customers data is our higest priority (have they said this yet?)

        It's been a long time since I've seen a large company do security well. In fact I'm not sure I've ever seen it done well by a large company.

        I've no doubt if any more comes from this story the response will be that this was a "sophisticated attack", "nation state" etc etc.

        Then we'll find out through backdoor channels that the beancounters have once again been at it and that staff get no security training, security is neglected to pad the bottom end and servers went unpatched because no one would accept downtime.

        They probably got nailed by a phish to the CEO that said "hey Bro forgot to send coolz pics to you clik here to download them, btw password is eg0maniac". The sort of CEO that demands domain admin access and unfiltered internet coz he's the CEO and problems are for others to sort.

    3. Anonymous Coward
      Anonymous Coward

      Offline .fit readers

      "Frustratingly, there do not seem to be any remaining offline tools to read and view them."

      GPXsee for basic track and heart rate data. GoldenCheetah for (really very) detailed analysis - perhaps more cycling than running oriented.

      1. Anonymous Coward
        Anonymous Coward

        Re: Offline .fit readers

        and there are Python and R libraries to handle .fit so you can roll your own...

  11. Andy Nugent

    Affected more than online services

    "Additionally, the functionality of Garmin products was not affected, other than the ability to access online services"

    That's not strictly true, as at least with my 735 watch, sync between watch and phone doesn't work without a connection to Garmin.

    Why they've intertwined syncing between phone & watch with the uploading to Garmin Connect is beyond me.

  12. gr00001000
    Holmes

    decryption key FTW

    What a bunch of cynics some of you are. They may not have paid. There are cases working with CERT teams where decryptor keys have been created and tested and supplied to sites. Don't forget all the malware and ransomware reverse engineers out there folks.

    1. JCitizen Bronze badge
      WTF?

      Re: decryption key FTW

      If these really are Russian government sponsored bad actors, do you really think it is going to be that simple? They aren't amateurs you know!

  13. David Nash

    Down for "Maintenance"

    I didn't hear about this until today, but it explains why, when I went for my run on Sunday, the Connect app said they were down for "maintenance".

    Today the app says they are coming back and thanks for having patience.

  14. Will Godfrey Silver badge
    Unhappy

    Difficult

    I can think of only one way this could be stopped, and it would initially be very hard on the victims.

    Jail time for whoever authorises a ransom payment.

    1. NightFox

      Re: Difficult

      Payment of ransom for kidnap is illegal in some countries as an attempt to deter kidnap, but it generally fails because:

      a) Consultants who support victims through the negotiation process know how to make payments discretely and work around such laws

      b) It makes victims less likely to report the incident to the authorities, actually making it easier for kidnappers to operate.

      Same logic applies to ransomware.

  15. Symon Silver badge
    Stop

    Want to mitigate ransomware?

    Use https://linux.die.net/man/1/rdiff-backup

  16. Anonymous Coward
    Anonymous Coward

    Running the Gauntlet

    Clearly another company that has learnt the hard way that Information Security threats can be existential.

    I'd bet a years income that InfoSec personnel in Garmin have been fighting an uphill battle for resources and money and commitment from the board - maybe now they'll listen although I suspect the first words out their mouths will be "How could this happen, we spent $50 last year on CyberSecurity?"

    Board members do tend to be particularly hard of thinking when it comes to Information Security.

    1. Eclectic Man

      Re: Running the Gauntlet

      A company which decides its application architecture requires people to upload personal data via a smartphone to a central server, and then download the same data from those servers onto the smartphone (but not to store it there) for viewing has more intellectual challenges than only spending a few $$$ on InfoSec last year.

      (And yes, before you ask I have a Garmin Forerunner 645, and am NOT AMUSED by this mostly easily avoidable fiasco.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020