{"id":8360,"date":"2021-03-19T10:22:13","date_gmt":"2021-03-19T09:22:13","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8360"},"modified":"2023-05-17T08:13:21","modified_gmt":"2023-05-17T08:13:21","slug":"compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/","title":{"rendered":"Compromising Garmin&#8217;s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D2T1 - A Deep Dive Into GarminOS And Its MonkeyC Virtual Machine - Tao Sauvage\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/KsqLb-l-TjA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2T1%20-%20A%20Deep%20Dive%20into%20GarminOS%20and%20its%20MonkeyC%20Virtual%20Machine%20-%20Tao%20Sauvage.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">Garmin is one of the key players in the smart fitness market. In 2021, they reported 60% of their revenue is generated by their outdoor and fitness division. Second only to Apple in the global smartwatch market revenue in 2020.<\/p>\n<p style=\"text-align: justify;\">Garmin has developed their own real-time operating system, GarminOS, that has little to no public information. They also created a custom language, MonkeyC, to support third-party applications that can be submitted to the Connect IQ store for publication.<\/p>\n<p style=\"text-align: justify;\">Early last year, I began taking a closer look at the Garmin Forerunner series and uncovered multiple critical vulnerabilities affecting their watches (design issues, memory corruption, type confusion, among others). I found that a malicious application could fully compromise the watch&#8217;s OS, including bypassing its permission mechanism and escaping its MonkeyC virtual machine.<\/p>\n<p style=\"text-align: justify;\">Starting our coordinated disclosure process with Garmin in July 2022, they specified that the vulnerabilities go beyond the scope of a single model and affect over 100 devices, including fitness watches, outdoor handhelds, and GPS for bikes. Security fixes are scheduled to be released in March 2023 for their most recent devices.<\/p>\n<p style=\"text-align: justify;\"><strong>This presentation retraces my steps for the first time in reverse engineering the Garmin Forerunner 245 Music&#8217;s firmware, understanding some aspects of GarminOS and its MonkeyC virtual machine, and identifying then exploiting low-level vulnerabilities in their implementation. I cover technical details about the CIQ application file format, the virtual machine&#8217;s inner workings, binary resources management, and permissions implementation, to name a few. I provide specific examples of vulnerabilities with proof-of-concept applications to trigger them.<\/strong><\/p>\n","protected":false},"template":"","class_list":["post-8360","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Compromising Garmin&#039;s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Compromising Garmin&#039;s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Garmin is one of the key players in the smart fitness market. In 2021, they reported 60% of their revenue is generated by their outdoor and fitness division. Second only to Apple in the global smartwatch market revenue in 2020. Garmin has developed their own real-time operating system, GarminOS, that has little [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T08:13:21+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/\",\"name\":\"Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T09:22:13+00:00\",\"dateModified\":\"2023-05-17T08:13:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Compromising Garmin&#8217;s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/","og_locale":"en_US","og_type":"article","og_title":"Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Garmin is one of the key players in the smart fitness market. In 2021, they reported 60% of their revenue is generated by their outdoor and fitness division. Second only to Apple in the global smartwatch market revenue in 2020. Garmin has developed their own real-time operating system, GarminOS, that has little [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-17T08:13:21+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/","name":"Compromising Garmin's Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T09:22:13+00:00","dateModified":"2023-05-17T08:13:21+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/compromising-garmins-sport-watches-a-deep-dive-into-garminos-and-its-monkeyc-virtual-machine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Compromising Garmin&#8217;s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8360"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}