It’s not just some fitness smartwatch, as the linked Tweet might lead you to think:
> Pilots told the tech website that they had not been able to download new Garmin software with up-to-date versions of the aviation database, which is a legal requirement for flying. The Garmin Pilot app, which is used to schedule and plan flights, was also hit by the attack.
PS in case you’re not into aviation - Garmin is used in smaller aircraft, not airliners but this is still a significant disruption - smaller planes and helicopters carry out important roles such as firefighting, heli ambulance, flying doctors services (e.g. in Australia) rescue ops etc.
Garmin has a lot of market share in small piston / hobby flying planes, but they're also big in small to mid size private jets and turboprops. More and more are using the Garmin G1000 and G3000 cockpit or older models upgrading from traditional instruments to the G600. In those cases it's not uncommon to use Garmin Pilot + Jeppesen for the good integration with the onboard systems when loading flightplans etc.
So this outage could be painful for some corporate flight departments and air taxi companies as well. Luckily you can also print the charts without that much trouble and fly like the old days.
FlyGarmin is already back up. And it’s not a huge deal in my opinion. In addition to being only smaller operators, dbs don’t expire and roll over on the same day. New releases are available early.
Absolute worst case, if you were flying IFR and it was worth the expense, you could go to Jeppesen and buy a 1-off update for your avionics. Garmin Pilot could be replaced by a ForeFlight trial, etc. It’s not like Garmin goes down, planes are grounded.
>The real issue is Garmin's lack of communication.
And here we are a full day and a half into the outage and no update and no ETA, just the same generic "Sorry, we have an outage bro" message that they put up a few hours in. I guess if this really is WastedLocker they're just sitting around arguing over whether to pay the ransom.
I'm sure it's a massive fire inside their walls right now. A tweet over 24 hours ago is definitely not going to bring confidence on any progress. Speculation will fuel a lot of negativity until an official update is provided.
Working in transaction consulting I beg to differ: This simply already puts the earnings call on Wednesday in a bad light, much more so than if they e.g. communicated the real issue and, if required and possible, delayed the earnings call... Transparency is valued and priced highly by analysts these days, the worst scenario is that there is no real transparency in the call itself, then "all bets regarding GARMIN's future are off".
Rumour has it that it's been caused by a ransomware attack (although Garmin hasn't commented publicly) - I can't think of much else that would cause such a long outage.
I thought the same. Especially the fact that their webservices as well as their callcenter and other support systems are down screams ransomware attack.
My experience with Garmin devices is that the hardware is good but the software is average. GPS device for example are robust and they can function both with batteries and piles BUT the software can crash, searching for names on a map or entering text is almost guarantee to not work. They are years behind Android for example for user friendliness.
Their main distinguishing market at the moment seems to be wearables for athletes as well as dedicated GPS for aviation, etc., not consumer turn-by-turn navigation where smartphones can perform adequately. For example, tracking and providing analytics for training, particularly for running, bicycling, and other distance-based outdoor activities.
Their software is average compared to maybe other web services, but when compared in the segment - the alternatives are often even worse - I came to Garmin from the Suunto world and it was a big step forward - before, i was facing constant syncing issues, very poor sync software, migration to a newer platform at Spartan watch era was a sad story (multiple different web platforms, missing functionality, etc). Garmin works pretty flawlessly for me, though I'm primarily using Strava for all the analytics (or used till they limited their free tier recently)
Ever since my Oregon 650 refused to boot until I connected it to my computer I kind of lost faith in their hardware. I was hiking so connecting it to a computer was not an option. Needless to say I was not amused.
> This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience. (2/2)
"inReach SOS and messaging have been fully functional and remain so."
This is reassuring because people who go to remote places and rely on the inReach satellite SOS and messaging have not been affected. If they had been affected, they would've been cut off with no explanation--for example unable to relay status to family, or to request an early pickup. While not in itself life-threatening, it would cause a lot of unnecessary worry and possibly unnecessary rescues.
I had wondered if their satellite messages was affected. Obviously, a message goes from the unit in the field to a ground-station, and then to the recipient's regular messaging or email. The question is whether it touched one of Garmin's servers to do that, and if that server was affected--apparently not.
Oh man. I was mildly amused that people couldn’t access their fitness history. I just tried to access flygarmin.com to update my aircraft’s aviation databases, and this shit just got real.
My airplane is grounded for IFR flights — I always fly IFR.
I pay Garmin $865/year for subscription. There are thousands of aircraft in the same predicament.
Aviation database updating has apparently been hit by this [1], and pilots are mandated by the FAA to keep them up-to-date. Car navigation won't be significantly affected as long as the roads haven't changed drastically since the maps were last updated - all the plotting and directions are done on the device itself.
Their call centres are affected so I suspect any sort of assistance with the above services is affected. Fitness trackers still work, you just can't sync with the app.
In this case I hate to be proven right, but it's not looking good for Garmin. There's lots of road cyclists out there with $750 useless watches now. I can tell you that after this event the odds of me ever purchasing a Garmin device that relies on anything 'cloud' based have even further decreased.
Even if the watches can function offline, how can anybody have any degree of trust that all of their previously uploaded data has not been stolen? Based on the reported use of ransomware and the very lengthy downtime, it really sounds like Garmin's network was owned quite thoroughly. Is there some group out there now in possession of hundreds of thousands of .gpx files with detailed tracking points of peoples' residences, favorite running and cycling routes, and what times of the day they're usually away from home? Nobody knows.
After seeing 20+ years and many dozens of instances of data breaches from this that we would now define as 'the cloud', I find that the only solution is to simply not upload to a third party anything you consider proprietary information.
Meanwhile my fully offline or local-workstation-hosted GPX based tracking method continues to work normally.
> There's lots of road cyclists out there with $750 useless watches now. I can tell you that after this event the odds of me ever purchasing a Garmin device that relies on anything 'cloud' based have even further decreased.
They work offline. At least, as much as I use mine it still functions, there may be more advanced features.
> Meanwhile my fully offline or local-workstation-hosted GPX based tracking method continues to work normally.
You can still get the gpx files right off the watch. Apart from that, this is the classic Hacker News argument of "why do the normies rely on these cloud services it's trivial to <insert giant complicated setup here>".
It's awesome that it works for you. My parents, one of whom in his retirement hacks on code that combines local drone captured data with local government LIDAR data and parses it for more accurate maps of his lifestyle block, don't have time for those shenanagins. The expectation that everyone does is folly
But when you think about it currently for most users computer = internet. No internet is almost equal to non functional computer. No gmail, no FB, Insta, Twitter, no news sites, no messaging. For some even no document editing if you are using online editors and are not prepared in advance by installing offline editor office 365 or sketchup). And also not many have offline maps ready.
It's scary how much we became dependent on internet connectivity.
> Is there some group out there now in possession of hundreds of thousands of .gpx files with detailed tracking points of peoples' residences, favorite running and cycling routes, and what times of the day they're usually away from home? Nobody knows.
The watches are not useless, the only useless thing is the app and the Garmin dashboard. Before, when I had a watch only with USB/ANT client, I used to sync it once per week, the only thing you need to do now is to just get the .fit files and upload them on Strava or whatever platform you want or process the files yourself.
I can also still sync Spotify for my music and podcasts, so that works.
You can still copy data from the Garmin watches manually. For a lot of the watches, this is mainly affecting the ability to use Garmin Connect to view your aggregated data.
It IS frustrating - I have a Fenix 3, so I can relate. But it is still tracking the activities and the service will be back up, so saying that the watches are useless right now is rather hyperbolic.
Those watches work perfectly fine offline, and that's how most people use them. Mine isn't even set up to connect to my phone.
You don't have a need for a 750 dollar watch with dedicated onboard maps and gps unless your use case is specifically being outside of coverage areas to start with.
This is not good but sadly any source of massive amounts of user data will continue to be targeted in this day and age. I'm an avid cyclist and use Garmin Edge GPS cycling computers. Luckily they store activities locally. I'm sure I'll be able to sync my rides soon enough ;)
Asked in a related thread already, but bigger audience here: Does anyone know who runs/hosts/maintains/secures GARMIN servers? Are they owned and operated by the company itself or is all or parts of it outsourced?
Forensics can sometimes prove "X happened", but not "Y didn't happen".
That's why sometimes companies will make statements like "we have no evidence that the hackers did Y1, Y2 or Y3". It doesn't mean anything really.
That is to say, once Garmin becomes communicative again, they may be prescriptive in answering questions like yours head-on, or due to lack of concrete proof, punt and obfuscate.
Suffice to say, it appears they've been owned through-and-through, so you may want to err on the side of caution.
[+] [-] mastazi|5 years ago|reply
> Pilots told the tech website that they had not been able to download new Garmin software with up-to-date versions of the aviation database, which is a legal requirement for flying. The Garmin Pilot app, which is used to schedule and plan flights, was also hit by the attack.
Source: https://news.ycombinator.com/item?id=23937097
PS in case you’re not into aviation - Garmin is used in smaller aircraft, not airliners but this is still a significant disruption - smaller planes and helicopters carry out important roles such as firefighting, heli ambulance, flying doctors services (e.g. in Australia) rescue ops etc.
[+] [-] t0mas88|5 years ago|reply
So this outage could be painful for some corporate flight departments and air taxi companies as well. Luckily you can also print the charts without that much trouble and fly like the old days.
[+] [-] btgeekboy|5 years ago|reply
Absolute worst case, if you were flying IFR and it was worth the expense, you could go to Jeppesen and buy a 1-off update for your avionics. Garmin Pilot could be replaced by a ForeFlight trial, etc. It’s not like Garmin goes down, planes are grounded.
[+] [-] tallanvor|5 years ago|reply
I'd be willing to bet that their legal and finance teams are fighting to keep them from saying anything (their earnings call is on the 29th).
So much goodwill is lost by companies that don't communicate when problems are affecting customers.
[+] [-] DebtDeflation|5 years ago|reply
And here we are a full day and a half into the outage and no update and no ETA, just the same generic "Sorry, we have an outage bro" message that they put up a few hours in. I guess if this really is WastedLocker they're just sitting around arguing over whether to pay the ransom.
[+] [-] jpayeur|5 years ago|reply
[+] [-] BikerGolfer|5 years ago|reply
[+] [-] WrtCdEvrydy|5 years ago|reply
I'm sure any communication will have to minimize stockholder impact and will be watered down instead of being 'Oh shit, all of our crap is encrypted'
[+] [-] kelnage|5 years ago|reply
[+] [-] moooo99|5 years ago|reply
[+] [-] vayeate|5 years ago|reply
[+] [-] Kototama|5 years ago|reply
[+] [-] vinay427|5 years ago|reply
[+] [-] svacko|5 years ago|reply
[+] [-] cinntaile|5 years ago|reply
[+] [-] vayeate|5 years ago|reply
[+] [-] zenexer|5 years ago|reply
A couple important excerpts (there's a lot more detail in the article):
> ... flyGarmin has also been down today. This is Garmin's web service that supports the company's line of aviation navigational equipment.
Other HN commenters have already elaborated on the implications of that.
> ... while we confirmed that this is a ransomware attack, we could not 100% verify claims that this was caused by WastedLocker.
Garmin hasn't officially commented on the cause, but they did tweet that their call centers are down (https://twitter.com/Garmin/status/1286278816302850048):
> This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience. (2/2)
[+] [-] dveeden2|5 years ago|reply
[+] [-] 205guy|5 years ago|reply
"inReach SOS and messaging continue to work."
"inReach SOS and messaging have been fully functional and remain so."
This is reassuring because people who go to remote places and rely on the inReach satellite SOS and messaging have not been affected. If they had been affected, they would've been cut off with no explanation--for example unable to relay status to family, or to request an early pickup. While not in itself life-threatening, it would cause a lot of unnecessary worry and possibly unnecessary rescues.
I had wondered if their satellite messages was affected. Obviously, a message goes from the unit in the field to a ground-station, and then to the recipient's regular messaging or email. The question is whether it touched one of Garmin's servers to do that, and if that server was affected--apparently not.
[+] [-] svacko|5 years ago|reply
[+] [-] Animats|5 years ago|reply
[+] [-] civil_engineer|5 years ago|reply
My airplane is grounded for IFR flights — I always fly IFR. I pay Garmin $865/year for subscription. There are thousands of aircraft in the same predicament.
[+] [-] kelnage|5 years ago|reply
1. https://www.zdnet.com/article/garmin-services-and-production...
[+] [-] iamacyborg|5 years ago|reply
[+] [-] BikerGolfer|5 years ago|reply
[+] [-] voxadam|5 years ago|reply
[+] [-] walrus01|5 years ago|reply
https://news.ycombinator.com/item?id=23775957
In this case I hate to be proven right, but it's not looking good for Garmin. There's lots of road cyclists out there with $750 useless watches now. I can tell you that after this event the odds of me ever purchasing a Garmin device that relies on anything 'cloud' based have even further decreased.
Even if the watches can function offline, how can anybody have any degree of trust that all of their previously uploaded data has not been stolen? Based on the reported use of ransomware and the very lengthy downtime, it really sounds like Garmin's network was owned quite thoroughly. Is there some group out there now in possession of hundreds of thousands of .gpx files with detailed tracking points of peoples' residences, favorite running and cycling routes, and what times of the day they're usually away from home? Nobody knows.
After seeing 20+ years and many dozens of instances of data breaches from this that we would now define as 'the cloud', I find that the only solution is to simply not upload to a third party anything you consider proprietary information.
Meanwhile my fully offline or local-workstation-hosted GPX based tracking method continues to work normally.
[+] [-] SCdF|5 years ago|reply
They work offline. At least, as much as I use mine it still functions, there may be more advanced features.
> Meanwhile my fully offline or local-workstation-hosted GPX based tracking method continues to work normally.
You can still get the gpx files right off the watch. Apart from that, this is the classic Hacker News argument of "why do the normies rely on these cloud services it's trivial to <insert giant complicated setup here>".
It's awesome that it works for you. My parents, one of whom in his retirement hacks on code that combines local drone captured data with local government LIDAR data and parses it for more accurate maps of his lifestyle block, don't have time for those shenanagins. The expectation that everyone does is folly
[+] [-] vincnetas|5 years ago|reply
It's scary how much we became dependent on internet connectivity.
[+] [-] paulcole|5 years ago|reply
Yeah it’s called anyone who goes on Strava.
[+] [-] mns|5 years ago|reply
I can also still sync Spotify for my music and podcasts, so that works.
[+] [-] tallanvor|5 years ago|reply
It IS frustrating - I have a Fenix 3, so I can relate. But it is still tracking the activities and the service will be back up, so saying that the watches are useless right now is rather hyperbolic.
[+] [-] missosoup|5 years ago|reply
You don't have a need for a 750 dollar watch with dedicated onboard maps and gps unless your use case is specifically being outside of coverage areas to start with.
[+] [-] jpayeur|5 years ago|reply
[+] [-] BikerGolfer|5 years ago|reply
[+] [-] Squarex|5 years ago|reply
[+] [-] minaguib|5 years ago|reply
That's why sometimes companies will make statements like "we have no evidence that the hackers did Y1, Y2 or Y3". It doesn't mean anything really.
That is to say, once Garmin becomes communicative again, they may be prescriptive in answering questions like yours head-on, or due to lack of concrete proof, punt and obfuscate.
Suffice to say, it appears they've been owned through-and-through, so you may want to err on the side of caution.