The Garmin Hack

by

in ,

And why you should care about it.

Can Garmin be trusted with your (very) personal data? Probably not! The cycling press has covered this hack fairly extensively. But it doesn’t feel like the seriousness of the databreach has been appreciated. One commentator described the data as being “ride data… that is anonymised”. (They did go on to acknowledge that the acquisition of lots of data meant more data points and so greater exposure but they still suggested the risk to individuals was low.)

The reality is that this was a very serious breach and given the lack of evidence to the contrary we must assume that all of the highly personalised data held by Garmin has been affected.

Garmin have not responded well publicly. As a user I haven’t seen a breach notification (an ICO requirement). And they appear to have simply reset their workstations/ infrastructure rather then doing a fresh install (https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/).

In answer to a FAQ asking “Was my data impacted as a result of the outage?” on their website, Garmin state that:

We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.

https://www.garmin.com/en-GB/outage/

And given the nature of the attack and the vast amount of data concerned this is plausible. However, the data is still sensitive, personal data. It is this particular question I want to address.

What is the personalised data that Garmin collects?

Location:

GPS location points/ mapping

  • these can easily be collated to give an exact fix on an individual property.
  • these can be used to show personal routines (visits to the gym, shopping, and affairs).
  • work and home locations.
  • ride and running/ walking routes. (including start and end points).
    These points alone are not anonymised in any meaningful way. This has been repeatedly demonstrated. And expose highly personalised behaviours.

Health

Power output – strengthen and condition (health)
Cadence – condition, speed (general pshysical wellbeing, health)

Additionally with the Watch:
Heartrate,
Training stress level indicators,
Steps,
Sleep pattern,

Gym sessions – weights and related metrics.

Fluid intake – I use this feature to measure track my fluid intake periodically. Again this is an indicator of health but also how someone cares for themselves.


Whether these metrics are as accurate as the maker would like us to believe is irrelevant as they give a perceived indication of underlying health and collectively expose sensitive personal information.

Financial health

Kit record:
The watch, app and bike GPS all record kit.
Taken together and like it or not this information is a good indicator of your income bracket!

Your activity type (ski, fish, run, walk, hime, mountain bike, road bike etc etc) – Revealing your interests and income bracket.

Conclusion

This is a non exhaustive list of data collected by Garmin in the outdoor and fitness field alone.

The health data points are many and when combined are sufficient to tell someones general physical well being. The location data is enough to expose either their home address or at least the postcode (income bracket), exposes work address and potentially whether they are self employed or employed, shopping habits, extra-marital habits. The kit data exposes spending patterns and income. While the data collected by the watch and app altogether can show a picture of health. The collective data will also reveal likes and dislikes and information about your holiday habits!

The data collected by Garmin exposes far more about ourselves then I think most of us would be comfortable with. And even just a few of these data points put together can identify individuals.