Late last month, electronics firm Garmin
With its large 47 mm dial and high-resolution AMOLED touchscreen display, the D2 Mach 1 is impressively conspicuous, the kind of timepiece that has attracted aviators since World War I. Its direct-to navigation, pulse oximeter, GPS moving maps and NEXRAD weather radar are enticing capabilities in such a small device, multiplied greatly when the watch is Bluetooth-connected to a smartphone with Garmin’s Pilot, In-Reach or Connect apps.
The text and email notifications, biometric capabilities (including heart rate, fitness tracking, activity profiles, and more) that you can find with other wearables are part of the Mach 1’s connected content as well. They’re appealing enough to have attracted a military following.
The new watch’s predecessor models (the D2C/D2D) were even acquired (with unit funding) by the Air Force’s 99th Reconnaissance Squadron which flies the sensitive intel-collecting U-2 Dragon Lady. In 2017, the Navy issued a sister smartwatch model, Garmin’s Fenix 3, to all of its F/A-18 Hornet/Super Hornet/Growler pilots to aid in hypoxia detection.
Jim Alpiser, Garmin’s director of aftermarket sales, confirms that the company “does have a couple of reps actively selling” D2 Mach 1s to defense/military customers. However, Alpiser is “not at liberty to disclose” what military units they’re selling to. This confirmation is in keeping with the Olathe, Kansas-based firm’s past success and smartwatch following with aviators and other U.S. military personnel.
But the popularity of Garmin’s watches and other wearables with the military has taken on extra meaning in light of what is now happening in Ukraine and at the United States Military academy at West Point, New York.
Russian Microtargeting of Ukrainian Service Members
Russian operatives have been collectively and individually targeting Ukrainian military service members by leveraging the data coming from apps resident on the connected devices (cell phones, tablets, computers, smart watches) they use on or near the battlefield. The practice was highlighted in a recent article for Defense News co-authored by U.S. Army Cyber Institute (ACI) researcher, Jessica Dawson, and Brandon Pugh, policy counsel for the R Street Institute’s cybersecurity and emerging threats team.
As the authors point out, “It is the new normal for military service members and veterans to be considered high value targets in the information war.”
In Ukraine, Russian actors have flooded the inboxes of Ukrainian military service members with malware-laden email in an effort to amass personal data, spread misinformation and intimidation. Dawson and Pugh also report that thousands of text messages have been sent to local police and military members.
Russia has gained access to the Ukrainian military by breaching and exploiting the social media and other apps on the personal and professional devices they use, opening a direct portal to data mining, influence operations and tactical insights generation. The latter may include real-time location data, patterns of life/movement and group/formation size. Any connected commercial device is an aperture with the potential to be weaponized against its user.
The problem stretches back to the U.S. homeland, throughout our civil and commercial society and our own military. Operations here and in Ukraine can be put at risk thanks to the pervasiveness of data collected for targeted advertising.
Dawson and Pugh explain that name, service identifier and IP address/device information swept up for advertising data analysis make it “easy” to identify individuals’ information from their cell phones or other connected devices, whether that comes from ad identifiers or the phone number itself.
Ad identifiers they say can be aggregated with other tracking information by numerous entities, from online advertisers to data brokers, to reveal patterns of daily life such as where someone lives and their political preferences. The ad data then becomes a vector to target and harass individuals.
To illustrate the broad potential, Dawson references a 2019 New York Times feature which reported that every minute of every day across the globe dozens of unregulated, little scrutinized companies log the movements of tens of millions of people via their mobile phones, “storing the information in gigantic data files”.
Ukrainian and American service members are a subset of those millions and represent a risk that the Pentagon has only just awoken to. About a year ago, Dawson set up a research agenda and began digging into the problem of commercial data collection and the military. What is the U.S. military doing about the risk of microtargeting?
“The answer is not much,” she says. “We’re trying to sound the alarm that this is a significant concern. I understand that [telecommunications/IT] is a trillion-dollar industry but it’s very dangerous.”
It’s a problem exacerbated by the ubiquity of personal connected devices and the longstanding American traditions of individual freedom and privacy that underlie service members’ ownership and use of phones, Fitbits or smart watches. American soldiers, sailors, marines, airmen and guardians possess these and multiply their reach/power via a multitude of social media, biometric, navigation, gaming and communication apps.
“How do you enable people to fight in the information space through social media and other messaging while still keeping your formations safe from all the emissions that are coming off of these devices?” Dawson asks. “We don’t have a good answer for that.”
Given its vulnerability – literally life and death – the question arises as to whether the Ukrainian military has found answer?
“We don’t know if Ukranian soldiers are restricted from commercial devices,” Dawson says. “I haven’t seen any reports on what the Ukrainian military is doing. I would assume that the word has gone out, ‘Turn that crap off.”
But turning it off is hard Dawson acknowledges. The same devices and software that Russia seeks to exploit (right down to TikTok) are being used in the information war by Ukraine as well.
Getting one’s arms around the extent of the problem is similarly difficult. To quantify and characterize data collection risks, ACI would like to look at the metadata from Army service members devices. “That involves looking at U.S. individuals so we’re not allowed to do that unless it’s very narrowly tailored.”
The researchers have gained limited experimental approval to pore through general data but the Army, Dawson says, still has no policy. “The general consensus has been that commercial [telecommunications] are not a problem – that the Army does not want to go near that.”
Space Force’s “Beta Test”
Nor it would seem do the other services. Ironically, the Space Force is inadvertently touching on the issue. In March, the Space Force announced plans to officially implement a new “three-part fitness program” which would see it abandon the annual physical fitness test (PT) so familiar to all the services, replacing it with a program that will use “wearable technology and a software solution paired with fitness/workout regimes and preventative health practices.”
Though the program is still in beta test, the Space Force has signed a contract with fitness software platform FitRankings “to create a digital community to connect fitness wearables,” according to a company press release.
The Austin, Texas-based company offers an agnostic app which can go on a wide variety of devices/wearables including Garmin’s watches. It’s worth noting that nowhere on FitRankings’ website are the words “information security” spelled out. How Space Force will secure data for this connected community, how it will monitor Guardians’ health/fitness data and how it will require them to install the app on their personal wearables has not been explained.
According to an Air Force Times article, Space Force managers (and presumably FitRankings staff) will “have access to dashboards that show varying levels of data on the people they are supervising. The extent of that data can be adjusted to show only group-level totals or provide a general assessment of an individual’s fitness level…”
It takes no leap of imagination to surmise that such routinely collected data would be of interest to U.S. adversaries. However, Dawson points out that the reliability of biometric devices/apps must itself be called into question.
“I haven’t seen research that says the data from these biomedical apps is actually accurate in predicting health and wellness,” she says.
It’s possible, the apps may create additional stress, what Dawson calls the “over quantification of health monitoring” which may lead people to unhealthy obsession with it. She offers a practical note as well, pointing out that people in China have already figured out how to spoof fitness trackers, fitting wearables to toilet paper or bananas to obtain better insurance rates.
The Smartest, Stealthiest Garmin Aviation Watch Yet
“As a back to the backup to the backup we like to say, just point the pilot in the right direction,” Garmin’s Alpiser quips. He references the D2 Mach 1’s emergency mode which, in the event of a full aircraft system failure, provides basic navigational guidance to the nearest airport.
A user simply holds down the blue-ringed button on the top right side of the watch case. The Mach 1 goes into emergency mode, automatically simplifying the display to a few crucial elements including an arrow pointing the direction to the nearest airport.
Like its predecessors, the Mach 1 receives satellite PNT (position/navigation/timing) data from the U.S. GPS constellation, from Russia’s GLONASS constellation and the EU’s Galileo satellites. The watch doesn’t rely on linked input so it’s functional in an emergency using the above satellite signals and its own internal database.
The function is a last resort for pilots in a jam but previous versions of it have been used including by an EA-18G Growler crew in distress in 2017. It’s merit as a stand-alone feature is generally overshadowed by all the connected features that Garmin touts for the D2 Mach 1 including connected flight planning and pilot health monitoring. These are where risk begins to creep in.
Jim Alpiser told me he’d just come from a security focused meeting prior to our interview. He says that Garmin has a “huge focus internally on personal data security”. That focus extends to military consumers of its watches and other devices.
“We understand that military operations and personnel need a way to protect their information and quickly wipe the device clean if they feel it’s necessary. We’ve built in those functions and features. We’ve done that with the intention to make this watch attractive to military aviators.”
The Mach 1’s Stealth Mode is accessed through a control menu that leads to a little icon that looks like a stealth airplane. Tap on the icon and it configures the watch much in the same way “airplane mode” works on any other device, turning off all outgoing wireless broadcast signals (Wifi, Bluetooth, radio antenna).
It will show the user’s position on a map when in an activity (flight navigation, running, etc) but no location data is saved, GPS positions are not logged. For example Garmin says, if you went for a 3 mile run, there’d be no record of where you ran, only that you ran three miles. If you turn Stealth mode to OFF, that run activity would get uploaded to Garmin Connect, also with no position data.
It sounds like an attractive way to preserve functionality without recording movement if a user remembers to actuate it. The D1’s Kill Switch clears the device memory, another useful bit of thinking from Garmin that could benefit its military clientele. A user actuates the Kill Switch by depressing and holding hold down the top left button long enough to yield a kill warning with a countdown – if you let the countdown expire, it wipes everything on the device and reverts to default settings.
I tried it. It didn’t work. After consulting with Garmin, the company explained that one must first set a single button as a “hotkey” before it can be used. They explained how to do it and added that the Kill Switch wipes all data but then also writes over the entire files system with garbage data and then reloads a fresh set of blank system data on top of that to prevent deleted data from being recovered.
Again, a useful idea Dawson agrees. “Anything that’s an easy factory default reset is a good idea. Say you’re going through border security or something similar, that’s good.”
But she is skeptical about the Stealth Mode feature and Garmin’s data collection in general. “I looked at the Garmin Connect privacy report on the Apple Store. It says ‘data not linked to your location’. It still says the data that is linked to you using this app is your health and fitness, your contacts, identifiers, contact info and user content.”
Dawson refers back to ad identifiers and reminds that even if a Garmin app is not expressly collecting personal location data and linking it to individuals, the ad identifiers from the app/device could be merged with another data set and compared to identify the user. (For example, another database from another app that collects location data and links it to an ad identifier.)
Potentially breach-able, micro-targetable personal data like the sleep score, stress levels, hydration, and women’s health tracking that Garmin highlights are concerning for service members Dawson adds.
“If you [as an adversary] want to figure out when the perfect time to deploy psychological messaging, you do it when someone is stressed and worn out. This app [Garmin Connect] would presumably give that information. Even if Garmin is not selling that data, if they get hacked, it can be out there.”
Unfortunately, experience proves the point. In July, 2020 cyber criminals targeted Garmin with a ransomware attack that encrypted the company’s internal systems and shut down critical services like Garmin Connect, flyGarmin, Strava, and InReach. The company first detected the attack when employees began to share photos of encrypted workstations. The attack was attributed to a Russian hacker group called “Evil Corp”.
According to reports, Garmin issued a statement saying, “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.” But as Brett Callow, a cyber security researcher at Emsisoft, told Sky News, “Absence of indication is not indication of absence.”
The U.S. Treasury had previously sanctioned Evil Corp, a group which may still be operating inside Russia. Garmin says its apps are designed in-house and features like Stealth Mode and Kill Switch can also be found on other smartwatch models like the company’s Tactix 7.
“You’ve got complete control over whom you share this information with. It’s up to the user to share that information when they feel appropriate,” Garmin’s Alpiser reiterates. The wearer may have a degree of control but even that is not complete and the company has not shied from using generalized user data to promote itself.
In January, Garmin issued a 2021 Garmin Connect Fitness Report in which the company says, “Data from millions of global smartwatch customers offers insight into the year’s top activities.”
“In the face of ongoing lockdowns and the emergence of new COVID-19 variants, Garmin users logged a record-breaking number of fitness activities in 2021,” said Joe Schrick, Garmin vice president fitness segment.
The release may seem innocent enough but it is clear advertisement of the kind of aggregated (and individual) personal fitness data that Garmin possesses – data potentially attractive for the kind of microtargeting Russia is pursuing in Ukraine.
The example goes back to the “wicked hard” technological corner American and other societies have put themselves into Dawson says.
“When we think about the security [protocols] that these companies have, we essentially accept that we’re taking a private company and pitting it against a nation-state. The DoD and federal government don’t generally help private companies protect their data. Even if Garmin has good security, if a nation state wants to get into this, they’re going to be able to get in.”
In addition to the immediate microtargeting issue for the D2 Mach 1 or any device, there’s a big policy gap in the Army and throughout DoD Dawson observes.
“What authority does DoD have to dictate, recommend anything with regards to people’s private devices?”
If the Space Force goes ahead with its connected fitness test experiment could it set a precedent? Dawson doesn’t have an answer but she does suggest a place to start.
“The first thing we have to do is to get DoD to recognize that this is a national security priority… The idea that the homeland is contested space and that this data is part of that contested space has not been clearly articulated in DoD national security documents.”
The war in Ukraine may raise data privacy concerns to a level where U.S. military and political leadership takes note. Dawson confirms that the Army Cyber Institute is using Ukraine to build its case for addressing microtargeting. That might bring her and her Army colleagues back to a basic question.
If Dawson were going into combat in an AH-64 Apache attack helicopter, M-1 Abrams tank, or on foot I asked, would you wear a Garmin D2 Mach 1?
“I wouldn’t take it with me,” she replied.