Garmin CIQ Hacker Exposes 13 Vulnerabilities Affecting 100 Garmin Models
Via: @Brian R, with thanks
Some points in this article are directly written for this site by Tao Sauvage and @BrianR
Garmin has been hacked…again. This time the company was lucky as the ethical hacker shared the numerous vulnerabilities he discovered with the company during 2022 and 2023.
In A Nutshell
Ethical Hacker, Tao Sauvage (Source: Anvil Secure), discovered 13 Connect IQ (CIQ) vulnerabilities, some dating back to 2015. Although discovered on the Forerunner 245, the vulnerabilities are mostly generic and affect over 100 Garmin models including Garmin Edge, Fenix Forerunner and handhelds.
What Are The Vulnerabilities
In plain English (via @BR), some of the issues are thus
- Garmin uses C unsafe functions such as strcpy and memcpy that have been banned for over 10 years by major companies including Microsoft. Source: Microsoft
- Garmin implement threads and not processes and thus its memory is not protected
- GarminOS is many years behind in terms of security compared to other Operating Systems such as Linux, Android or iOS. It lacks security mitigations and hardening features that have existed for well over 10 years.
- Garmin’s OS is proprietary and thus historically has not had much scrutiny, unlike Linux.
- Garmin’s OS is closed-source not open-source. This almost inevitably increases the likelihood of security vulnerabilities being overlooked.
- Because Garmin is based on C/C++, any memory handling error can have unforeseen effects (bugs, crashes…). Garmin is aware of this and attempts to handle it with flawed mitigation from MonkeyC and the TVM
- Thus CIQ can have similar unforeseen effects, just not quite as easily. CIQ is disabled when diving with the Descent watches.
- You have to trust CIQ apps and hope they have no malicious intent.
Having tried to keep this article relatively untechnical I note that some of you are more technical-minded. Here is a summary of the types of vulnerabilities with further info and examples of attacks in GitHub. The vulnerabilities are all integral to Garmin’s 3rd party CIQ app language and could be used for mischievous purposes…or worse.
Note: The vulnerabilities affect all versions from the one listed in the table up until the latest version (before Garmin’s security fixes). So although your device might be running 4.x.x , it was vulnerable to the vulnerabilities listed in the table. Then Garmin released their security fixes to the latest version and also backported them to version 3.1.x.
What Is The Current Status Of The Vulnerabilities?
As of CIQ API version 3.1.x, these have been fixed by Garmin.
Why Did This Arise?
Perhaps one of the reasons this could happen is that the Garmin OS TVM (Trusted Virtual Machine) is proprietary, and incrementally built from the ground up. Mistakes were made during that long and complex journey.
Garmin OS is built on the widely understood ‘C’ programming language. There are also elements of C++. Whilst Garmin updates its watch software incrementally, users (and hackers!) can download the complete software for beta versions on Garmin’s website.
The company’s 3rd Party app store, called Connect IQ, allows 3rd party developers to use the Monkey C programming language, itself based heavily on Java/JavaScript, to produce programs as .PRG files. These present opportunities to be hacked.
What the hacker found
Tao Sauvage’s analysis focuses on the MonkeyC programming language used for developing applications on the Garmin Forerunner 245 Music watch. During his investigation, several vulnerabilities in the GarminOS TVM were uncovered that could be leveraged to compromise the watch. These vulnerabilities included the capacity to escape the area of the watch reserved for 3rd party apps and execute code arbitrarily on the device, as well as the ability to circumvent Garmin’s permission system and invoke any function irrespective of the application’s authorization. Ouch.
The author provided offered scripts and proofs-of-concept on a GitHub repository as evidence. Of particular note was the vulnerability listed as CVE-2023-23299, which together with other identified vulnerabilities affected more than a hundred Garmin devices since 2015.
Now that these issues have been claimed to have been addressed, we can only look back and wonder at what degree of responsibility Garmin would have taken should your watch have been hacked for nefarious purposes.
As a fellow Garmin user, software engineer and a runner. Garmin CIQ is a joke, MonkeyC is a joke, and Garmin hires just a lot of poorly paid software engineers. They have the best hardware and shittiest software 🙁 Why THE HECK invent subpar new language, to interpret it on an embedded device!? At some moment I was so pissed and bored I wrote a transpiler from C++ to MonkeyC so I can write apps in something that makes sense. Next thing, ConnectIQ app store is crap, useless search, bunch of spam, no payments. Another one… There is a limit of hmm 8 (?) apps on Garmin Watch, each up to 128KiB in size or smth… And max 2 data fields in use.
They have no clue what they are doing 🙁
J2ME was for interpreted code on small devices. Android’s runtime is based on a reimplemented Java interpreter. There are obvious security and stability reasons to run 3rd party code in a sandboxed interpreter but it is not so easy to get it right in an adversarial environment. The JVM has had tons of security bugs also over the years.
Maybe Garmin invented a language and its own interpreter so as not to be sued by a behemoth like Oracle or Microsoft? Intellectual property suits are expensive even if you win.
Sun vs Microsoft
SCO vs Novell
Oracle vs Google
I think the language is called Monkey C and the interpreter is called Monkey Do. Cute isn’t it?
I think the larger point of the story is that GarminOS has execution threads but not processes. There is no kernel vs user space. There is no memory protection except for whatever the TVM runtime can provide. This is why any bug in the system can potentially crash your watch. The security and stability guarantees of the architecture are very limited. The entire history of C and C++ suggest it is functionally impossible to build something as large and complex as GarminOS in C/C++ without making memory handling errors.
See, even J2ME would be better there… Well understood and maintained VM+JIT.
It’s just matter of (human) resources – pay more than McDonald and you get better code.
Ah the smell of click bait in the morning
I considered the alternative title “Garmin CIQ Hacker Exposes 10 Vulnerabilities Affecting 3 Garmin Watch Models” but it would be factually incorrect. So I instead chose the factual title that you appear to be moaning about.
What exactly is your problem please? I can try to address it if you make it known.
3 1.4 is over three years old. It’s obsolete. Currently on 4.2 x
yes
https://the5krunner.com/2022/10/12/garmin-ciq-system-6-announced/
Edit – As Tao Sauvage points out, you got confused: “The vulnerabilities affect all versions from the one listed in the table up until the latest version (before Garmin’s security fixes). So although your device might be running 4.x.x , it was vulnerable to the vulnerabilities listed in the table (again, before Garmin’s security fixes). Then Garmin released their security fixes to the latest version and also backported them to version 3.1.x.”
To be fair to Garmin, the ransomware attack on Garmin’s corporate Windows network has nothing whatsoever to do with the limitations and implementation defects of the Monkey C interpreter in GarminOS.
@Amadeus J I haven’t read about poor wages at Garmin. I was under the impression that Garmin had high retention of software engineers and generally considered a good employer. Do you have a reference?