
Will Garmin Pay $10M Ransom to End Two-Day Outage? - bequanna
https://www.forbes.com/sites/barrycollins/2020/07/25/will-garmin-pay-10m-ransom-to-end-two-day-outage/
======
zxcvbn4038
Too bad, love Garmin’s products, if you ever have to make a detour someplace
where the cell service isn’t great you want to have one of their GPS units. I
don’t trust any phone apps outside of a major city. But sounds like they have
some serious IT issues if hackers can cause this much disruption, you would
think there should be some compartmentalization between the personal and
professional products, between manufacturing and web presence. You can bet
there will be after.

~~~
sukilot
What's wrong with offline maps on a phone?

~~~
petee
Some Garmin devices can receive traffic data via radio, which your phone can't
do. Garmin also usually has business names and gas stations, whereas I've
found Google maps offline will only let you navigate to a specific address
(Android), and it's reliant on you remembering to store the map offline. If
you found yourself in an area without signal, and you didn't pre-save, you'd
be screwed, which I've had happen plenty of times.

Personally I use offline maps, but only on specific trips where I know for
sure I'll have no data

~~~
zxcvbn4038
It’s one of those always be prepared things - I was making a routine trip
through Albuquerque once where just outside of Tucumcari I encountered a
traffic jam from a huge crash up involving many vehicles and fatalities that
ended up closing both directions of the interstate for ten hours. I managed to
get off onto a farm road and found path around the accident - fifty or sixty
miles of two and one lane farm roads, barely populated, at dusk. Passed more
rabbits then cars. Twice I had to get out and check what was on the other side
of the hill I was about to drive over. But turns out they were real roads and
I made it To Albuquerque in time for a really late dinner at Waffle House. The
interstate opened back up about six hours later. Would I ever have attempted
that with only a phone? Never. If my route got cleared for any reason I’d have
been in a bad situation. I don’t trust a phone app would have downloaded
enough information to even compute an epic detour like that - I went well over
thirty miles away from the original route before reaching the road that went
back.

------
petee
I'd be shocked if they ever admit it was ransomware. Besides nearly no public
response, what they finally put out still just frames this as an "unfortunate
outage", sidestepping the reality of a (likely) massive data breach.

I _am_ shocked that once again another company is willing to do their brand
serious damage by keeping quiet and not trying to allay customers fears of
stolen information, compromised app updates, and $800 paperweights.

Pilots can't update their flight databases, an FAA requirement, nor upload
flight plans, so it's more serious than some are claiming. And yet, near
silence.

~~~
sukilot
How can they allay fears after the information was already stolen?

~~~
petee
By not saying anything, they're actually adding to the fear, rational or not.
Ransomware is headlining, and they're pretending it isn't happening.

Simply stepping up and admitting it at least allows their customers to take
steps to protect their data, credit cards, change passwords, etc.

~~~
sukilot
Customers don't need to be "allowed" to protect their data.

I promise you that several major companies have already been quietly breached
and credentials stolen.

> credit cards, change passwords

Are already stolen, Garmin hack or not.

1\. Your credit card number is public. Deal with fraudulent activity in the
usual way.

2\. Passwords should be unique. Non unique passwords are already stolen, and
unique ones probably are. 2FA and suspicious login detection is what protects
you.

~~~
petee
I used 'allow' as in, "take into consideration", not "allowed to do
something."

You're not wrong, but the huge difference is knowing about specific attacks
versus constantly assuming your data is always compromised. Changing your
password daily, and canceling your credit card for a new number daily,
regardless of breach, is basically what you're suggesting.

Further, we still don't even know if it is in fact a hack, which is the point.
If they simply came out and said that their production line got ransomware,
but user databases were unaffected but taken offline as precaution, that would
go a long way to suggesting what level of mitigation is necessary

------
VUFA4DF50E
My Android phone is now giving me notification of an updated version of Garmin
Connect and I am feeling reluctant to install. Does anyone know, is there any
way to verify that the changes are safe ? (Changelog, audit, integrity check)
does Google Play verify an update in a case like this? I don't know how this
works

In a scenario where Garmin is completely compromised, is it unthinkable that
the attacker could also distribute malicious updates to millions of devices ?

------
gentleman11
If governments made it illegal to pay ransoms, this sort of thing would happen
100x less often. What did they always say in 90s action movies: “the policy of
this administration is to never give in to terrorist demands”?

~~~
petee
A bleepingcomputer article linked below mentions it's possible Garmin would be
violating US sanctions by paying the ransom, since Evil Corp (the supposed
operators of this ransomware) was sanctioned by the US Treasury department

[https://www.bleepingcomputer.com/news/security/garmin-
outage...](https://www.bleepingcomputer.com/news/security/garmin-outage-
caused-by-confirmed-wastedlocker-ransomware-attack/)

------
sukilot
Garmin's tight-lipped statement

[https://www.garmin.com/en-US/outage/](https://www.garmin.com/en-US/outage/)

------
intro-b
Garmin's stock price has dipped slightly since the beginning of the reported
outage and ransomware news and may continue to do so - I speculate perhaps
these actors might also double-dip on their attack by both ransoming the data
and selling/purchasing options on the company's underlying stock, especially
if they are more aware of how much damage they're able to inflict than the
company themselves

------
m-p-3
Hopefully it's going to be a wake-up call to make their connected devices and
softwares a bit more resilient in case of an outage.

Or maybe I'm too optimistic.

------
yalok
Anecdotally, my son got Vívofit jr for his birthday on Thursday, we tried to
set it up and couldn’t... the app was reporting server error that day and the
next day. The only thing I could think of was that they don’t have any
monitoring for their server APIs... but this explains it.

