Sports data for ransom – it’s not all just fun and games anymore | WeLiveSecurity

Sports data for ransom – it’s not all just fun and games anymore

Sports and training data are more sophisticated and affordable than ever. With the democratization of (sports) performance data, is your personal information safe?

Sports and training data are more sophisticated and affordable than ever. With the democratization of (sports) performance data, is your personal information safe?

Throughout the 1990’s we saw vastly increased engineering being applied to sports, mostly in the development of shoes, clothing and equipment – everything from ice skates to bikes and even golf balls. But among all the bling of bubbles and pumps in shoes and aerodynamic helmets and balls, another transformation was taking place, the democratization of (sports) performance data.

The arrival of increasingly intelligent and low-cost sensors, and both the hardware and software needed to process the data it produced, rapidly migrated from national and professional teams towards amateurs and consumers. A good example of this migration towards the masses may be the SRM Power Meter, a sensor located on the crank of a bicycle that uses strain gauges to measure torque applied and, when combined with angular velocity, calculate power. While many cyclists were keenly interested, few had resources to both buy, and perhaps more critically analyze the power data.

Figure 1. The SRM Training System first reached market in 1988, reaching professional cycling in 1991 and by 2003/4 could transmit data in real-time.
Source: http://www.srm.de/fileadmin/_processed_/csm_Untitled-2_eb68291314.png

However, change lay just around the corner. With wireless communication standards beginning to proliferate in the early 2000s, the missing element was the transformation and integration of personal communications and computing. From there, data-driven sports tech could go fully commercial.

Integration – enter the era of smartphones

In the year 2000, mobile phones began to connect to the nascent 3G network. With the 1st generation iPhone released January 9th, 2007 – followed by the first Android device in September 2008 – data-driven sports technology and consumers’ appetite for social sharing were on a collision course.

The introduction of smartphones allowed user access to multiple service types as well as other devices. This included devices with other communications standards such as Bluetooth and ANT+, which are popularly used with heart rate monitors and speed sensors. With these protocols, small or clumsy dedicated devices could be paired to smartphones with substantially better user interfaces, more processing power and internet access – further connecting them to social media, emails and servers.

A boom of data

The age of Big Data was (also) upon us, and it seemed that sports data would remain a small component of the infinite data stream unleashed from a diversity of new forms of tracking and analysis. However, for millions, human curiosity latched on to sports data as interesting, motivational and, social.

When devices that could couple heart rate, cadence (rate bike pedals are turned or steps taken per min.), speed, altitude and precise geolocation met social media, a new industry exploded. The sports data-verse opened by SRM, led other device manufacturers like Garmin, followed by FitBit, Apple, Samsung and Wahoo – to name a few – to provide the (data) fodder for users to engage with their data via sports apps like Strava, Zwift and other platforms where they could record, analyze, share, congratulate, cajole and battle over who is fastest or fittest anywhere in the world. This combination proved addictive.

For context, Strava claimed 50 million members in February 2020, adding a million more every month, and members uploading “more than 1 billion activities in the last 13 months”. Essentially, athletes upload data gathered on sports computers (+sensors) or via watches from Apple or Samsung, subsequently uploading their results along with location data to platforms like Strava.

You know you are addicted when they take it away

As we can all attest, social media users can be obsessive, very possibly matched or outdone by athletes – whether amateur or professional. For sure, cyclists, triathletes and hikers using Strava and similar platforms, alongside hardware by Garmin, Apple, or devices like Wahoo’s ELEMNET bike computer, accumulate massive amounts of data that foster their own data addictions.

So, when the links between sensor technologies and social spaces built up around websites like Garmin Connect get broken, users get upset! Cyclists won’t have to imagine too hard how users of relative newcomer, Zwift – a virtual cycling paradise, might feel if access, in-app avatars or data got cryptolocked.

Figure 2. A Zwift user with “smart” trainer and TV
Source: https://news.zwift.com/en-WW/media_kits/

The runaway success of platforms like Zwift, a virtual turbo trainer game that enables riders to join other cyclists in a virtual environment by linking a bicycle turbo/resistance trainer to a computer, smartphone or smart TV, demonstrate the stakes. During the coronavirus lockdown stakes have risen quickly with Zwift’s user numbers massively boosted and even pro cyclists moving to adopt the platform in absence of outdoor racing. Looking at numbers of concurrent users on a given day (Peak Zwift), on Jan 21st, 2020, Zwift recorded 16,512; by April 5th, this had grown to 34,940 concurrent users. Sports + Data is strutting its stuff!

Ransomware hurts in new ways

Recently, the wider sports data boom stumbled when it was reported that market leading GPS and fitness tracking vendor Garmin suffered a major security breach. “Garmin, was the victim of a cyberattack that encrypted some of our systems on July 23rd, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” reads the company’s announcement.

Subsequently, it was established that a ransomware attack took place impacting its systems. Forensics shows with high likelihood that the malware in question is WastedLocker, in this case wielded by the organized crime group known as Evil Corp.

For users, the multi-day day outage prevented them from logging data and thus posting it. However, other recent ransomware incidents have demonstrated that cybercriminals not only deny access to data, but actually steal it via of doxing and random data leaking, then moving to auctioning stolen data on dedicated underground sites, and even forming “cartels” to attract more buyers.

Reports around Garmin’s incident certainly don’t confirm this, but post-WastedLocker, this industry should reassess risk, and the value of users’ sports data, including personally identifiable information and location, and based on employment of devices enabling multiplatform integration. Under these circumstances, the value of “sports data” quickly takes on a level of seriousness akin to health data.

With this incident, a new way for cybercriminals to pressure businesses into paying ransoms has unfolded. As such, we can imagine that many other companies could fall prey to similar patterns of abuse. Fitness center franchises, personal trainers, physical therapists and their natural overlap with healthcare providers all offer a negative synergy.

Alternatively, and outside of sports, we can imagine the knock-on effects of malware attacks on the recent explosion of food delivery services. Often on a tight budget and employing both location data and customer databases with personally identifiable information, these types of businesses could also be prone to ransomed data and, in some cases, may have lower levels of cybersecurity maturity than the service providers focused on sports data.

Shifting security to a higher gear

If you are an athlete, be mindful of how your data, as well as device and service integration can open you up to new threat vectors. If you know or suspect that your data has been compromised in a data breach, be diligent to proactively request your service provider offer an identity theft protection monitoring service. In the case of Garmin’s recent troubles, users seem to be in the clear with regards to the encryption status of their data. However, in cases where the likelihood of your personal sports stats and data being in criminal hands is high, you should be on the lookout for targeted phishing attacks or attempts at identity fraud in the near future.

Suggested further reading:

Simple steps to protect yourself against identity theft
Blackbaud data breach: What you should know (especially the “What’s missing” section)
Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online
Polar Flow app exposes geolocation data of soldiers and secret agents

Discussion