[BreachExchange] Garmin Shipping Navigation Unit Suffers Breach

Destry Winant destry at riskbasedsecurity.com
Tue Oct 9 20:39:42 EDT 2018


Navionics, an Italian company that manufactures electronic
navigational charts for boating, was the victim of customer data
breach that exposed hundreds of thousands of customer records.

Bob Diachenko, Hacken.io’s director of cyber risk research, revealed
in a blog post that the company’s MongoDB database wasn’t secured with
password protection, which meant anyone could access and download its

Navionics, which was recently acquired by tech giant Garmin, offers
boat, yacht and ship owners access to real-time navigation charts
through the “world’s largest cartography database.”

The 19 gigabyte database contained more than 260,000 records,
including customer names and email addresses. In addition, it provided
information about their boat — latitude and longitude, boat speed and
other navigational details — which Diachenko said was likely updating
in real-time.

Once discovering the breach, Diachenko contacted the company and
Navionics immediately shut down the server.

“Navionics takes data protection very seriously, and we are grateful
that Mr. Diachenko notified us of this misconfiguration using the
responsible disclosure model,” the company said in a statement. “Once
notified, we immediately investigated and resolved the vulnerability.
Following our investigation, we confirmed that none of the records or
data were otherwise accessed or exfiltrated, and none of the data was
lost. Even so, Navionics still notified affected customers via e-mail
by October 8, 2018.”

As one of the most widely used database providers in the world, many
exposed MongoDB databases have been accessed by hackers, according to

“The main takeaway from this is the importance of security at every
stage of your development process,” wrote Diachenko. “It should not
even be argued that your development network must be one of your most
secure networks, for it contains your intellectual property.  As we
learned from this incident, one never knows when transient firewall
rules may inadvertently expose your development machines to the
public. In this case, it appears to have only exposed some pieces of
personal information, but for others, it could be critical
intellectual property or even your entire subscriber base that could
be exposed.”

More information about the BreachExchange mailing list