Compromising Garmin’s sport watches: a deep dive into GarminOS and its MonkeyC virtual machine

I reversed the firmware of my Garmin Forerunner 245 Music back in 2022 and found a dozen or so vulnerabilities in their support for Connect IQ applications. They can be exploited to bypass permissions and compromise the watch. I have published various scripts and proof-of-concept apps to a GitHub repository. Coordinating disclosure with Garmin, some of the vulnerabilities have been around since 2015 and affect over a hundred models, including fitness watches, outdoor handhelds, and GPS for bikes.

Raise your hands if you’re surprised.

Any time someone takes even a cursory glance at internet of things devices or connected anythings that isn’t a well-studied platform from the likes of Apple, Google, or Microsoft, they find boatloads of security issues, dangerous bugs, stupid design decisions, and so much more.


  1. 2023-04-24 6:56 pm
    • 2023-04-24 8:48 pm
      • 2023-04-24 9:55 pm
  2. 2023-04-24 9:01 pm
    • 2023-04-24 10:30 pm
  3. 2023-04-25 3:29 am
  4. 2023-04-25 10:12 am