Garmin Hack and Dependence

Last week we learned that customers of Garmin, maker of GPS-enabled tech for sports, automotive, aviation, and other use cases, couldn’t fully use their devices, sync, or connect for updates. As the story unfolded and the company eventually announced that this was the result of a ransomware attack, it reminded me of a pattern I’ve written about before — the trade-off between operational improvements and additional systemic risk.

Garmin, and many other companies, provide what has become essential technology. This article is an exploration of unintended consequences related to system dependence, navigation, international differences, hacker ambitions, and potential future outcomes.

Garmin uptime
A snapshot of Garmin’s recent uptime for its aviation service flyGarmin.

Why They Can’t Just Pay

I’ve written a few times about scams and the way they can spread. As I wrote about the recent Twitter Bitcoin hack in Scaling a Scam, “it doesn’t matter that only a tiny fraction of people fall for the scam as long as you can spread it around broadly enough.” In the case of the Twitter hack, leveraging a small number of high-follower accounts got the scammers a few hundred gullible victims who transferred around $100K in Bitcoin total.

Since it propagated through a consumer platform, the Twitter hack had high awareness on the platform itself, to say nothing of the news it generated. Earlier versions of this trick used fake Twitter accounts to spread similar messages, but without the followers they couldn’t go as far. Same for the “Hey, Grandma” scam and trying to scale through individual phone calls.

But if those scams could be described as the parting of fools and their money, the Garmin hack, as perpetrated by Russia-based Evil Corp (yes, their real name) are a bit different.

As is common in this type of hack, Evil Corp’s malware primarily uses social engineering (tricking people into clicking a malware link) but the real target is a business that can pay. Evil Corp’s new WastedLocker ransomware encrypts company data (more profitable than deleting data) until the ransom is paid and encryption keys are handed over. At a supposed $10 million ransom, the potential payout is significantly higher than the others listed above.

Many Garmin services were down for much of the past week. That begs the question: why not just pay the $10 million to make the problem go away? Garmin’s revenue is over $3 billion. It has or can get the money. Couldn’t this attack remain unseen by the public if Garmin just paid the ransom? Wouldn’t that protect Garmin’s customers, stock price, and reputation? After all, silence is the tactic many banks take when they have been robbed.

It’s not a money issue, but Garmin can’t just pay. Last year, the US Treasury sanctioned Evil Corp. The sanctioning made it clear that the group was noteworthy but also created penalties for transacting with them (that is, paying the ransonware bribes).

“[A]ll property and interests in property of these persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them…. Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.”

Evil Corp required phishing attacks to penetrate these corporations, even with their more recent WastedLocker ransomware. They were also known for an earlier “product” called Dridex. Unlike the WastedLocker ransomware, Dridex simply steals bank account credentials. Again from the Treasury document:

“Dridex is traditionally spread through massive phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded within the emails.  Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group.  As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries…. Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.”

Adding Friction

A theme in my writing is assessing when grassroots, local action is better and when larger organized responses are better. WastedLocker ransomware asks for a more coordinated response.

Without sanctions, it would make sense for companies to just quietly pay the ransom. But in the case of Evil Corp, which largely targeted American businesses (at least those that have reported), the purpose of adding sanctions is to centralize the problem. If businesses just quietly paid their ransoms, it would limit the knowledge of the ransomware, efforts to stop it, and allow it to spread further. Instead, the US government can collaborate with other governments and related businesses and can even attempt to pressure Russia (though we’ll see how that works).

So in Garmin’s situation, it potentially has to deal with WastedLocker longer than if it acted alone but that should result in the ransomware spreading to fewer other companies.

Removing Friction

I’ve written about the paired operational efficiencies and added systemic risk of autonomous vehicles before. That’s why the Garmin hack’s impact on navigation drew my attention.

Fewer people navigate using printed maps and instead rely on navigation systems in their cars or on their phones. I have no nostalgia for pulling out a badly folded book of maps in dim light while also driving down a busy highway. Navigation systems improved the experience of driving in unfamiliar territory. But there was a trade-off. It’s a similar trade-off to that I wrote about in Autonomous Vehicles and Scaling Risk, where operationally we are better off in normal situations but when those situations are disrupted, the impact is greater.

If we still relied on books of maps, no one could maliciously impact the driving directions of millions of people easily. That would take something bizarre, like intercepting the map designs and changing the location of a highway exit before printing. Even if such an error could be introduced, its impact would be limited. It’s not possible, as compared to the Garmin hack, to make all print maps unreadable and on a moment’s notice.

Note that this trade-off may be acceptable. I call attention to trade-offs of this type not because they are necessarily bad, but because they are a cost of doing business today. Note also that I’m not saying technology is bad. After all, I’ve worked in tech for most of my career. Rather, I’m saying that our systems can deliver both scalable good and scalable bad. We should be aware that the greater efficiency we benefit from can also be taken away when a system is attacked.

Ambition

Malevolent hacks like Garmin’s are a part of our world. We might reduce them, but there will always be new ones. They won’t just go away, just like viruses don’t just go away. Some are invited upon ourselves, such as the CEO of security company LifeLock posting his social security number as a PR stunt (his identity was stolen 13 times). Some happen because we’re too rushed, unimaginative, and reliant on tech (college classes being Zoombombed shortly after the move to remote schooling). Some are from laziness and poor practices (Equifax was hacked through an unprotected consumer portal).

Garmin’s situation looks a lot better today than it did a week ago. It looks like they’ve recovered most of their systems and it doesn’t seem (at least currently) they paid the ransom. The stock price (which only fell around 5% during the process) is back up.

Still, I can’t help but wonder what would happen if these hackers were more ambitious. Rather than steal some Bitcoin via Twitter, what if they instead manipulated public opinion via those high-follower accounts? Instead of asking Garmin for $10 million in ransom, what if they just provided pilots inaccurate navigational data?

Do their financial interests keep their ambition low?

Consider

  • Is the graph above inevitable and a cost of living in a networked world?
  • The ransomware business model (pay for the keys to restore your encrypted data) seems to keep hacker ambition low.
  • The Garmin hack is a reminder that metrics like historical uptime are not a good measure of systems risk.