200OK

Category: IT

  • The Garmin Hack

    The Garmin Hack

    And why you should care about it.

    Can Garmin be trusted with your (very) personal data? Probably not! The cycling press has covered this hack fairly extensively. But it doesn’t feel like the seriousness of the databreach has been appreciated. One commentator described the data as being “ride data… that is anonymised”. (They did go on to acknowledge that the acquisition of lots of data meant more data points and so greater exposure but they still suggested the risk to individuals was low.)

    The reality is that this was a very serious breach and given the lack of evidence to the contrary we must assume that all of the highly personalised data held by Garmin has been affected.

    Garmin have not responded well publicly. As a user I haven’t seen a breach notification (an ICO requirement). And they appear to have simply reset their workstations/ infrastructure rather then doing a fresh install (https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/).

    In answer to a FAQ asking “Was my data impacted as a result of the outage?” on their website, Garmin state that:

    We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.

    https://www.garmin.com/en-GB/outage/

    And given the nature of the attack and the vast amount of data concerned this is plausible. However, the data is still sensitive, personal data. It is this particular question I want to address.

    What is the personalised data that Garmin collects?

    Location:

    GPS location points/ mapping

    • these can easily be collated to give an exact fix on an individual property.
    • these can be used to show personal routines (visits to the gym, shopping, and affairs).
    • work and home locations.
    • ride and running/ walking routes. (including start and end points).
      These points alone are not anonymised in any meaningful way. This has been repeatedly demonstrated. And expose highly personalised behaviours.

    Health

    Power output – strengthen and condition (health)
    Cadence – condition, speed (general pshysical wellbeing, health)

    Additionally with the Watch:
    Heartrate,
    Training stress level indicators,
    Steps,
    Sleep pattern,

    Gym sessions – weights and related metrics.

    Fluid intake – I use this feature to measure track my fluid intake periodically. Again this is an indicator of health but also how someone cares for themselves.


    Whether these metrics are as accurate as the maker would like us to believe is irrelevant as they give a perceived indication of underlying health and collectively expose sensitive personal information.

    Financial health

    Kit record:
    The watch, app and bike GPS all record kit.
    Taken together and like it or not this information is a good indicator of your income bracket!

    Your activity type (ski, fish, run, walk, hime, mountain bike, road bike etc etc) – Revealing your interests and income bracket.

    Conclusion

    This is a non exhaustive list of data collected by Garmin in the outdoor and fitness field alone.

    The health data points are many and when combined are sufficient to tell someones general physical well being. The location data is enough to expose either their home address or at least the postcode (income bracket), exposes work address and potentially whether they are self employed or employed, shopping habits, extra-marital habits. The kit data exposes spending patterns and income. While the data collected by the watch and app altogether can show a picture of health. The collective data will also reveal likes and dislikes and information about your holiday habits!

    The data collected by Garmin exposes far more about ourselves then I think most of us would be comfortable with. And even just a few of these data points put together can identify individuals.

  • Snap off

    Snap off

    Ubuntu’s snap is intended to aid the user experience. It doesn’t always do so.

    If you have ever tried to open a file from the web in Ubuntu and had the error message “file not found”/ “file does not exist”/ or “permission denied” the culprit could well be SNAP.

    With the release of Ubuntu 20.04 Canonical has made some major changes from it’s last significant offering of 18.04 (19.04 wasn’t really worth much). All in it’s a release that has some worthwhile features but also a few annoyances. I’m going to outline one of those annoyances.

    The annoyance

    When you install Libre Office from the Ubuntu Software centre it will install in snap.

    Issues can then arise when attempting to open documents or attachments that are not saved locally (Ie that would typically be temporarily stored).

    For Example, you receive an email with a word doc attached and think “I’ll click to open without saving”. You click and watch as Libre Office seems to do it’s thing only to be presented with an error message telling you that the doc you tried to open doesn’t exist.

    This is clearly quite frustrating.

    So what’s happening? Well it seems that SNAP doesn’t allow temporary access to files opened online. Fair enough, but it’s very annoying and the implications are not obviously documented. There are a few solutions floating about online. All basically tell you to do the same thing, namely change the location of your tmp dir.

    Personally I think this is wrong and side steps rather then solves the issue. My solution (though perhaps equally imperfect as it sidesteps some of the protections SNAP is intended to offer) is:

    Uninstall LibreOffice from SNAP.

    Reinstall from the repo with APT.

    sudo apt-get update
sudo apt-get install libreoffice