What is going on with Garmin Connect?
#51
Senior Member
Join Date: Mar 2006
Location: Chicago, IL, USA
Posts: 2,873
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 1455 Post(s)
Liked 1,477 Times
in
867 Posts
Come on guys... it's just personal cycling statistics. It's not like your retirement account or medical records.
And if the data is so critical to you, you should have a backup in a secure location and not rely on any 3rd party to be the only source and to protect it. The larger the collective data, the larger the target.
If I lost all of my Garmin history, it wouldn't make a difference in my life.
And if the data is so critical to you, you should have a backup in a secure location and not rely on any 3rd party to be the only source and to protect it. The larger the collective data, the larger the target.
If I lost all of my Garmin history, it wouldn't make a difference in my life.
What worries me is who else might have access to the trove of personal data that Garmin has.
In addition to the standard online account stuff like phone numbers, IP addresses, billing addresses, email addresses, passwords, credit card info there are some more unique things in the data that Garmin collects via devices and uploads:
Age, height, weight, gender, heart rate, fitness history, power meter readings, GPS verified location tracks, lists of bikes and equipment that we all own, how frequently/far we ride them, who else we ride with, etc. In some cases, emergency contact info. Some devices collect additional data like sleep schedules, VO2 numbers, and so on.
All of that personal data may or may not be in the hands of Russian hackers.
Likes For msu2001la:
#52
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
I'm not worried about losing my data, nor am I worried about losing access to Garmin's online services for a few days.These are mild inconveniences at best.
What worries me is who else might have access to the trove of personal data that Garmin has.
In addition to the standard online account stuff like phone numbers, IP addresses, billing addresses, email addresses, passwords, credit card info there are some more unique things in the data that Garmin collects via devices and uploads:
Age, height, weight, gender, heart rate, fitness history, power meter readings, GPS verified location tracks, lists of bikes and equipment that we all own, how frequently/far we ride them, who else we ride with, etc. In some cases, emergency contact info. Some devices collect additional data like sleep schedules, VO2 numbers, and so on.
All of that personal data may or may not be in the hands of Russian hackers.
What worries me is who else might have access to the trove of personal data that Garmin has.
In addition to the standard online account stuff like phone numbers, IP addresses, billing addresses, email addresses, passwords, credit card info there are some more unique things in the data that Garmin collects via devices and uploads:
Age, height, weight, gender, heart rate, fitness history, power meter readings, GPS verified location tracks, lists of bikes and equipment that we all own, how frequently/far we ride them, who else we ride with, etc. In some cases, emergency contact info. Some devices collect additional data like sleep schedules, VO2 numbers, and so on.
All of that personal data may or may not be in the hands of Russian hackers.
Since backups might be compromised, a fair amount of data might be unrecoverable.
Why would Russian hackers care about sleep schedules and VO2 numbers?
#53
serious cyclist
Join Date: Apr 2009
Location: Austin
Posts: 21,147
Bikes: S1, R2, P2
Mentioned: 115 Post(s)
Tagged: 1 Thread(s)
Quoted: 9334 Post(s)
Liked 3,679 Times
in
2,026 Posts
If they were after the data itself, they wouldn't announce themselves by encrypting it and demanding ransm; they'd be silently siphoning it off for as long as possible.
#54
Senior Member
I'm not worried about losing my data, nor am I worried about losing access to Garmin's online services for a few days.These are mild inconveniences at best.
What worries me is who else might have access to the trove of personal data that Garmin has.
In addition to the standard online account stuff like phone numbers, IP addresses, billing addresses, email addresses, passwords, credit card info there are some more unique things in the data that Garmin collects via devices and uploads:
Age, height, weight, gender, heart rate, fitness history, power meter readings, GPS verified location tracks, lists of bikes and equipment that we all own, how frequently/far we ride them, who else we ride with, etc. In some cases, emergency contact info. Some devices collect additional data like sleep schedules, VO2 numbers, and so on.
All of that personal data may or may not be in the hands of Russian hackers.
What worries me is who else might have access to the trove of personal data that Garmin has.
In addition to the standard online account stuff like phone numbers, IP addresses, billing addresses, email addresses, passwords, credit card info there are some more unique things in the data that Garmin collects via devices and uploads:
Age, height, weight, gender, heart rate, fitness history, power meter readings, GPS verified location tracks, lists of bikes and equipment that we all own, how frequently/far we ride them, who else we ride with, etc. In some cases, emergency contact info. Some devices collect additional data like sleep schedules, VO2 numbers, and so on.
All of that personal data may or may not be in the hands of Russian hackers.
Likes For Wooderson:
#55
Senior Member
Join Date: Mar 2006
Location: Chicago, IL, USA
Posts: 2,873
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 1455 Post(s)
Liked 1,477 Times
in
867 Posts
Of course I know that there's always a risk of data being compromised. That doesn't mean I have to forego any discussion or opinion on it, or accept it as a given outcome.
Likes For msu2001la:
#56
Senior Member
Join Date: Mar 2006
Location: Chicago, IL, USA
Posts: 2,873
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 1455 Post(s)
Liked 1,477 Times
in
867 Posts
It doesn't seem like a huge stretch to think that other companies, not to mention health/life insurance companies might be interested in getting their hands on data like this.
Likes For msu2001la:
#57
Senior Member
#58
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
Actually, it's kind of nutty to think that insurance companies are going to buy this information from hackers.
Likes For njkayaker:
#59
Senior Member
#60
Old Legs
Join Date: Nov 2016
Location: Mass.
Posts: 1,212
Bikes: '80 Strayvaigin, '84 Ciocc Aelle-Shimano 105, '90 Concorde Astore /Campy Triple ,85 Bridgestone 500/Suntour, 2005 Jamis Quest, 2017 Raleigh Merit 1, Raleigh Carbon Clubman
Mentioned: 10 Post(s)
Tagged: 0 Thread(s)
Quoted: 302 Post(s)
Liked 33 Times
in
22 Posts
#61
Senior Member
Join Date: May 2010
Location: midwest
Posts: 2,528
Bikes: 2018 Roubaix Expert Di2, 2016 Diverge Expert X1
Mentioned: 14 Post(s)
Tagged: 0 Thread(s)
Quoted: 482 Post(s)
Liked 151 Times
in
105 Posts
Or they can just sell it on the dark web for additional money besides the ransom or to punish Garmin for not paying it.
#62
Senior Member
Join Date: Jun 2009
Location: Land of Enchantment
Posts: 468
Bikes: Domane SLR7 Project One
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 152 Post(s)
Liked 173 Times
in
105 Posts
Looks like things are back online and no data loss that I can see. Able to upload saved files from memory on my Edge.
Likes For August West:
#63
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
===============================
Ransomware is like threatening to burn your house down. It’s easy and nonspecific
Stealing data is like needing to know where the jewels and money are hidden.
Last edited by njkayaker; 07-27-20 at 04:34 AM.
#64
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
Garmin used to have a windows program that you could load all your rides into, also had mapping and could display your routes.
Good info on what happened here: https://www.bleepingcomputer.com/new...omware-attack/
scott s.
.
Good info on what happened here: https://www.bleepingcomputer.com/new...omware-attack/
scott s.
.
That still exists (but there isn’t much active work being done on it now).
There are programs from other people too.
The data is just files (which you can store on your computer).
#65
Senior Member
Likes For roth rothar:
#66
FLIR Kitten to 0.05C
Join Date: Sep 2014
Location: Lincoln, Nebraska
Posts: 5,331
Bikes: Roadie: Seven Axiom Race Ti w/Chorus 11s. CX/Adventure: Carver Gravel Grinder w/ Di2
Mentioned: 30 Post(s)
Tagged: 0 Thread(s)
Quoted: 2349 Post(s)
Liked 406 Times
in
254 Posts
Beyond things like credit card info, data like sleep schedules and how fast you ride is worthless to other people.
===============================
Ransomware is like threatening to burn your house down. It’s easy and nonspecific
Stealing data is like needing to know where the jewels and money are hidden.
===============================
Ransomware is like threatening to burn your house down. It’s easy and nonspecific
Stealing data is like needing to know where the jewels and money are hidden.
Where you live and how many bikes you have is all thieves need to know to case your house. One of my riding mates lost $6K of tools and bikes out of their garage--no one else in their area was hit and everything was locked. Because GPS data plus knowing there are valuable bikes there is all you need.
Well that was shortlived....nothing here as of now.
Last edited by Marcus_Ti; 07-27-20 at 06:24 AM.
Likes For Marcus_Ti:
#67
meh
Join Date: Jul 2014
Location: Hopkins, MN
Posts: 4,702
Bikes: 23 Cutthroat, 21 CoMotion Java; 21 Bianchi Infinito; 15 Surly Pugsley; 11 Globe Daily; 09 Kona Dew Drop; 96 Mondonico
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Quoted: 1110 Post(s)
Liked 1,013 Times
in
519 Posts
People are targeted by thieves using social media and GPS platforms, this is nothing new. Based on analysis available, I highly double Russian or Chinese hackers are interested in stealing your bike stash. They would love your passwords, credit cards, and use your Garmin data to social engineer breaches into other organizations. Frankly, social engineering is the top of my threat lists, Garmin is very popular and could easily give hackers a path into more critical systems around the world.
EDIT - additional info (I've added the bold to the quote to the point of the post above):"WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.
Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million."
https://techcrunch.com/2020/07/25/ga...mware-sources/
EDIT - additional info (I've added the bold to the quote to the point of the post above):"WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.
Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million."
https://techcrunch.com/2020/07/25/ga...mware-sources/
Last edited by Hypno Toad; 07-27-20 at 07:00 AM. Reason: adding info
#68
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
People have used Strava data to pinpoint which houses to hit for bike grand larceny.
Where you live and how many bikes you have is all thieves need to know to case your house. One of my riding mates lost $6K of tools and bikes out of their garage--no one else in their area was hit and everything was locked. Because GPS data plus knowing there are valuable bikes there is all you need.
Where you live and how many bikes you have is all thieves need to know to case your house. One of my riding mates lost $6K of tools and bikes out of their garage--no one else in their area was hit and everything was locked. Because GPS data plus knowing there are valuable bikes there is all you need.
I didn't say none of the data has value (I even listed some!)
The location data might be useful but it's usefulness is local. Which reduces the value of it being sold.
It's also possible that the theives who hit your friend didn't use GPS data.
Last edited by njkayaker; 07-27-20 at 09:07 AM.
#69
Senior Member
Join Date: Jul 2017
Location: Pacific Northwest
Posts: 1,993
Bikes: Argon 18 Gallium, BH G7, Rocky Mountain Instinct C70
Mentioned: 11 Post(s)
Tagged: 0 Thread(s)
Quoted: 800 Post(s)
Liked 512 Times
in
306 Posts
Looks like the server is back online. I was able to log in this morning. Still no word though on the nature / extent of the breach. I'd like to know if all of my information is out there and what, if anything, is being done about it.
#70
On Your Left
Join Date: Nov 2011
Location: Long Island, New York, USA
Posts: 8,373
Bikes: Trek Emonda SLR, Sram eTap, Zipp 303
Mentioned: 34 Post(s)
Tagged: 0 Thread(s)
Quoted: 3004 Post(s)
Liked 2,433 Times
in
1,187 Posts
#71
Senior Member
Join Date: Mar 2006
Location: Chicago, IL, USA
Posts: 2,873
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 1455 Post(s)
Liked 1,477 Times
in
867 Posts
None of these are sleep schedules or VO2 data.
I didn't say none of the data has value (I even listed some!)
The location data might be useful but it's usefulness is local. Which reduces the value of it being sold.
It's also possible that the theives who hit your friend didn't use GPS data.
I didn't say none of the data has value (I even listed some!)
The location data might be useful but it's usefulness is local. Which reduces the value of it being sold.
It's also possible that the theives who hit your friend didn't use GPS data.
The focus on VO2 and sleep schedules as specific items from my post to nitpick was your choice, but I agree that those two items would have less value than others, and may not have any actual value at all.
None of this makes it any less concerning that lots of personal user data was potentially compromised, which was my entire point.
Likes For msu2001la:
#72
Senior Member
Join Date: Mar 2006
Location: Chicago, IL, USA
Posts: 2,873
Mentioned: 2 Post(s)
Tagged: 0 Thread(s)
Quoted: 1455 Post(s)
Liked 1,477 Times
in
867 Posts
People have used Strava data to pinpoint which houses to hit for bike grand larceny.
Where you live and how many bikes you have is all thieves need to know to case your house. One of my riding mates lost $6K of tools and bikes out of their garage--no one else in their area was hit and everything was locked. Because GPS data plus knowing there are valuable bikes there is all you need.
Where you live and how many bikes you have is all thieves need to know to case your house. One of my riding mates lost $6K of tools and bikes out of their garage--no one else in their area was hit and everything was locked. Because GPS data plus knowing there are valuable bikes there is all you need.
Although we can set up "privacy zones" within Strava/Garmin, and keep equipment descriptions somewhat vague as basic security measures, the raw data still includes the actual start/stop points. The privacy zone just prevents it from being broadcast to other users.
In the event of a data breach, it would be very easy for someone to sort through GPS data to single out and pinpoint the location of high-mileage/frequency riders that log rides on multiple bikes. Combine that with day/time info on when they're typically out riding...
#73
On Your Left
Join Date: Nov 2011
Location: Long Island, New York, USA
Posts: 8,373
Bikes: Trek Emonda SLR, Sram eTap, Zipp 303
Mentioned: 34 Post(s)
Tagged: 0 Thread(s)
Quoted: 3004 Post(s)
Liked 2,433 Times
in
1,187 Posts
You guys are obsessing over Garmin data, imagine if they got your Google or Apple data. Everywhere you go, everything you look at.
As it was said, George Orwell would be shocked at the amount of personal information we give away for free. And the interweb never forgets.
Anyone pay any of those DNA services?
As it was said, George Orwell would be shocked at the amount of personal information we give away for free. And the interweb never forgets.
Anyone pay any of those DNA services?
Likes For GlennR:
#74
meh
Join Date: Jul 2014
Location: Hopkins, MN
Posts: 4,702
Bikes: 23 Cutthroat, 21 CoMotion Java; 21 Bianchi Infinito; 15 Surly Pugsley; 11 Globe Daily; 09 Kona Dew Drop; 96 Mondonico
Mentioned: 22 Post(s)
Tagged: 0 Thread(s)
Quoted: 1110 Post(s)
Liked 1,013 Times
in
519 Posts
Good example.
Although we can set up "privacy zones" within Strava/Garmin, and keep equipment descriptions somewhat vague as basic security measures, the raw data still includes the actual start/stop points. The privacy zone just prevents it from being broadcast to other users.
In the event of a data breach, it would be very easy for someone to sort through GPS data to single out and pinpoint the location of high-mileage/frequency riders that log rides on multiple bikes. Combine that with day/time info on when they're typically out riding...
Although we can set up "privacy zones" within Strava/Garmin, and keep equipment descriptions somewhat vague as basic security measures, the raw data still includes the actual start/stop points. The privacy zone just prevents it from being broadcast to other users.
In the event of a data breach, it would be very easy for someone to sort through GPS data to single out and pinpoint the location of high-mileage/frequency riders that log rides on multiple bikes. Combine that with day/time info on when they're typically out riding...
People are targeted by thieves using social media and GPS platforms, this is nothing new. Based on analysis available, I highly double Russian or Chinese hackers are interested in stealing your bike stash. They would love your passwords, credit cards, and use your Garmin data to social engineer* breaches into other organizations. Frankly, social engineering is the top of my threat lists, Garmin is very popular and could easily give hackers a path into more critical systems around the world.
EDIT - additional info (I've added the bold to the quote to the point of the post above):"WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.
Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million."
https://techcrunch.com/2020/07/25/ga...mware-sources/
EDIT - additional info (I've added the bold to the quote to the point of the post above):"WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.
Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million."
https://techcrunch.com/2020/07/25/ga...mware-sources/
#75
Senior Member
Join Date: Sep 2007
Location: Far beyond the pale horizon.
Posts: 14,258
Mentioned: 31 Post(s)
Tagged: 0 Thread(s)
Quoted: 4244 Post(s)
Liked 1,348 Times
in
935 Posts
If it bothers you that somebody pointed that out, maybe, you shouldn't have mentioned them!
They don't have any value to anybody. Why mention them?
It exaggerates the risk in a meaningless way. And it's funny!
Last edited by njkayaker; 07-27-20 at 12:33 PM.