Photo: Mario | Pixabay
Garmin smartwatches, popular for tracking fitness and health metrics, are facing scrutiny over a critical security flaw: the data stored on these devices can be accessed without any user credentials. Unlike competitors that encrypt stored information, Garmin watches allow anyone with physical access to the device to retrieve sensitive details such as heart rate, GPS location, and sleep patterns simply by connecting the watch to a computer.
When connected to a computer, models like the Garmin Vivoactive 3 are presented as USB drives, and users can then browse the file directory as external storage.
This directory houses data stored in the .FIT file format, a standard protocol developed by Garmin for fitness and health metrics. These files capture user details, including heart rate, GPS coordinates, sleep patterns, and activity logs.
Tools like FIT File Viewer and applications like Strava and Golden Cheetah can easily extract and analyse this data.
Not all is dark with this vulnerability. According to researchers, Garmin’s data accessibility offers a goldmine for forensic investigators. For instance, GPS data stored in .FIT files can trace an individual’s movements, proving invaluable in legal and investigative scenarios. A notable case underscoring this occurred in 2018, where Garmin smartwatch data played a pivotal role in convicting Mark Fellows for the murders of John Kinsella and Paul Massey.

“The FIT protocol is designed to be compact, interoperable, and extensible. These files store various types of data, including configuration data, activity logs, courses, and workouts. They also capture detailed information such as heart rate, speed, pace, and power. They can be imported to and read by a variety of fitness tracking services like Strava, MapMyFitness, and Endomondo,” researchers noted.
Investigators extracted GPS data from Fellows’ Garmin Forerunner watch, uncovering routes taken before the murders. This evidence revealed a reconnaissance run near the crime scene, helping secure a conviction. Such cases illustrate the potential of smartwatch data in providing objective evidence for law enforcement.
However, Garmin’s ease of data access comes with significant privacy risks. Unlike Apple, Fitbit, and Samsung, which encrypt stored data and limit direct access, Garmin devices rely on cloud synchronisation for secure storage. Data stored on the watch itself often lacks encryption, meaning anyone who gains physical access to the device can retrieve sensitive information.

Researchers compared Garmin with Fitbit, Apple, and other smartwatch brands and noted:
- Fitbit encrypts data on the devices during transmission, with secure cloud storage accessible only through its app.
- Apple employs end-to-end encryption for data stored on the Apple Watch and in iCloud, bolstered by biometric authentication.
- Samsung uses its Knox security platform to safeguard data on Galaxy Watches, offering encryption and secure cloud integration.
Cyber security experts recommend users regularly sync their devices with the Garmin Connect app, activate a PIN or passcode, and ensure their device’s security to protect their Garmin data.
“Garmin devices do not universally employ robust encryption for the data stored directly on the physical device. This means that if a Garmin smartwatch is lost or stolen, the data can potentially be accessed by simply connecting the device to a computer, as it often appears as a USB drive,” researchers concluded.
In the News: DeepSeek says cyberattack to blame for disruptions