Garmin is one of the key players in the smart fitness market. In 2021, they reported 60% of their revenue is generated by their outdoor and fitness division. Second only to Apple in the global smartwatch market revenue in 2020.
Garmin has developed their own real-time operating system, GarminOS, that has little to no public information. They also created a custom language, MonkeyC, to support third-party applications that can be submitted to the Connect IQ store for publication.
Early last year, I began taking a closer look at the Garmin Forerunner series and uncovered multiple critical vulnerabilities affecting their watches (design issues, memory corruption, type confusion, among others). I found that a malicious application could fully compromise the watch’s OS, including bypassing its permission mechanism and escaping its MonkeyC virtual machine.
Starting our coordinated disclosure process with Garmin in July 2022, they specified that the vulnerabilities go beyond the scope of a single model and affect over 100 devices, including fitness watches, outdoor handhelds, and GPS for bikes. Security fixes are scheduled to be released in March 2023 for their most recent devices.
This presentation retraces my steps for the first time in reverse engineering the Garmin Forerunner 245 Music’s firmware, understanding some aspects of GarminOS and its MonkeyC virtual machine, and identifying then exploiting low-level vulnerabilities in their implementation. I cover technical details about the CIQ application file format, the virtual machine’s inner workings, binary resources management, and permissions implementation, to name a few. I provide specific examples of vulnerabilities with proof-of-concept applications to trigger them.