Garmin watch got ethical hacked by a Swedish grad - long read

7.1 Conclusions
IoT devices are known to be more vulnerable to attacks compared to other applications due to the rapid growth and demand of the market, as introduced in chapter 1. The IoT device smartwatch collects a large amount of personal data and monitors a consumer continuously, therefore it also comes with a great privacy risk if there are vulnerabilities in the device. The objective of this thesis was therefore to assess the security of Garmin’s smartwatch and to demonstrate whether the sports watch is secure or not. To achieve the desired outcome of the thesis, the methodology PTES was applied which includes threat modelling that was used to list up the possible existing vulnerabilities on the smartwatch. The tested vulnerabilities were selected based on their placing on an applied risk matrix the delimitations. The vulnerabilities were then tested based on OWASP:s testing guide and ASVS.

It was found that Garmin Venu was generally secure with a few minor security flaws. The Connect IQ applications allowed developers to implement malicious applications using Garmin provided API, but for the application to be released publicly for others to download it has to go through a reviewing process. The discovered results are not enough to adequately answer the research question as a comprehensive security audit of the whole system was not possible and without permission from the company. Moreover, the Swedish law limited the possible security tests. However, the thesis does provide pointers of needed further investigation for vulnerabilities as well as proven secure components based on the top 10 common vulnerabilities.