Skip to content ↓ | Skip to navigation ↓

Most security folks are familiar with the threats posed by the Internet of Things (IoT). Indeed, one need only look to what happened to Dyn in October 2016 to grasp the devastating potential of insecure IoT devices. Given this new wave of distributed denial-of-service (DDoS) attacks, as well as the Mirai-infected bots that power them, it’s no wonder 70 percent of IT experts told Tripwire at Black Hat USA 2016 that their organization wasn’t prepared for IoT-related threats.

Without proper safeguards, insecure IoT products can expose our data and thereby threaten our privacy and security. But that’s what happens when the Internet of Things is executed poorly. On the flip side, there are certain situations where secure “smart” innovations can afford greater transparency and/or paint a more comprehensive viewpoint. As such, these connected devices and their data can disprove a narrative that without additional context might seem irrefutable.

One such situation arose in February 2017. It involved a deceptive half-marathon runner and a Garmin GPS smart watch.

Living on a Prayer… that She Wouldn’t Get Caught

On February 20, the runner who placed second in the A1A Half Marathon in Ft. Lauderdale, Florida registered 44:12 for the first 10K and 1:21:46 for the remaining 11.08 kilometers. These results indicate the runner ran 7:09 minute/mile for the first 10K and then picked up the pace to 5:25 minute/mile for the second split. This breakdown piqued some race participants’ curiosity, leading some to argue she cut the course and didn’t run the full half-marathon.

The runner approached runners and race officials by her own volition and denied these claims. She then celebrated by attending the awards ceremony and accepting the second-place award.

To prove she ran an average pace of 6:15 minutes per mile for the entire 13.1 miles, the runner manually posted a map that shows she completed the course.

But something wasn’t right. As Derek of Marathon Investigation writes in a blog post:

“She had this labeled as a run, and the total time *almost* matches her original time for the 1/2 marathon. The cadence data is more consistent with what you would expect on a bike ride, not a run. Also, through the Flyby screen, I was able to confirm that she actually covered this course in the afternoon – long after the race was complete.”

Some additional digging uncovered several photos of the runner after she had completed the race. A few of them even showed her facing the camera with the face of her Garmin 235 GPS smart watch clearly displayed. Curious as to whether the runner’s data matched her professed completion time, Derek purchased high-resolution copies of the pictures.

Those photographs indicate the runner completed only 11.65 miles in 1:22:07. This means she ran 7:16 minutes per mile in the 10K split (44:22) and 6.58 minutes per mile in the remaining 11.6 kilometers (1:22:07). But she cut 1.5 miles in total from the half-marathon.

Currently, it’s unclear why the runner decided to cheat. A post to her now-deleted Instagram account provides some perspective:

“I made a HORRIBLE choice at the Ft. Lauderdale Half Marathon on Sunday, Feb. 20. I wasn’t feeling well so I CUT THE COURSE and headed to the finish line.

“I got swept away in the moment and pretended I ran the entire course, when in fact I CHEATED and should have DISQUALIFIED myself.”

Derek isn’t having any of it, though. He thinks the runner’s proactive defense of her runtime proves she knew what she was doing. In his estimation, the runner probably wanted to receive a good enough time so that she could qualify for membership into the Performance Team of the Dashing Whippets, a member group of New York Road Runners community.

But it wasn’t meant to be. Since news of her deceit emerged, the Dashing Whippets has revoked her membership. It looks like she’ll never make the Performance Team now.

Lying in a Data-Driven Age

IoT devices like the Garmin 235 can help us track our fitness progress, lose weight and become healthier. But when we’re trying to hoodwink people, those products – along with the omnipresence of social media – can become our worst nightmare. Indeed, had she not brought her Garmin, it’s not immediately clear whether race officials would have disqualified her.

Thankfully she did bring her smart watch, however, as her award is now in the hands of the rightful second-place runner.

SANS White Paper: Security Basics