Blog: DFIR
How Garmin watches reveal your personal data, and what you can do
TL;DR
- A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques
- How digital forensics on a Garmin watch helped solve a double murder case
- A comparison of Garmin’s privacy with other brands including Fitbit, Apple, and Samsung
- Understand the security and privacy implications of wearable device data
- Advice for Garmin users on securing their watch
Introduction
Related to my last post which detailed forensic techniques for recovering data in smart watches, this post looks specifically at Garmin watches. This time, we’ll explore how data can be accessed much easier, without any user credentials or the linked mobile device, and how users can protect themselves.
Garmin smartwatches hold a raft of data covering much more than fitness metrics, but they also have privacy issues. For instance, a misplaced Garmin smartwatch can be easily connected to a computer, exposing its stored data to unauthorised access. This post explores both the forensic opportunities, and the security risks associated with Garmin smartwatches.
The Garmin Vivo Active 3 could simply be plugged into a computer, and was then presented as a USB drive, where the file directory can be browsed as if the device was an external USB device.
Garmin file directory
The main GARMIN folder contains several sub-folders which relate to things that have occurred or have been recorded on the physical device. These include activity data, GPS data, sleep data, messages, and device information.
Garmin file directory:
Example of data:
Data is stored in .FIT (Flexible and Interoperable data Transfer) files. These are a standardized file format used by Garmin to store and share data from fitness and health devices.
The FIT protocol is designed to be compact, interoperable, and extensible. These files store various types of data, including configuration data, activity logs, courses, and workouts. They also capture detailed information such as heart rate, speed, pace, and power. They can be imported to and read by a variety of fitness tracking services like Strava, MapMyFitness, and Endomondo.
.FIT files can be easily transferred from the smartwatch to desktop, mobile, or cloud platforms, making fitness easily shared and analysed. That ease creates a significant security concern though. If a Garmin smartwatch is lost or misplaced the .FIT files stored on it can be accessed by simply connecting the device to a computer, potentially exposing sensitive data.
.FIT files
A .FIT file viewer, such as FIT File Viewer, enables files to be analysed easily. Files can be saved from this location into CSV format, and further analysed:
The above image shows the SETTINGS.FIT file in FIT File Viewer, which provides information such as the gender, height, weight, language, average resting heart rate and year of birth set by the user, as well as the average wake and sleep time of the individual wearing the watch.
The below image shows an activity which took place on the Garmin Vivoactive 3 device. The .FIT file for this activity was imported into the Strava application to present the data in an easy-to-understand format. Applications like Strava are incredibly useful for viewing .FIT files, as they allow users to easily upload and analyse their fitness data.
These files contain detailed information about workouts, including GPS coordinates, heart rate, speed, and elevation. In an investigation, such data can be invaluable. For instance, in a missing person case, the GPS data from a .FIT file could help trace the individual’s last known movements.
The below image is a snippet taken from the application ‘Golden Cheetah’. Golden Cheetah is an open-source software application designed for athletes to analyse their training data. It can import data from various devices and formats, including Garmin, Polar, and SRM. The application provides a rich set of tools for analysing performance, such as critical power modelling, performance plots, and stress plots.
This image provides a graphical view of the imported .FIT file from the activity depicted in the activity that was imported to Strava. It shows heartrate, speed, and cadence during the activity:
Garmin watch helps solve double murder investigation
In 2018, there was a breakthrough in a double murder case where the artefacts stored on a Garmin fitness tracking device helped convict Mark Fellows for the murders of John Kinsella and Paul Massey.
In 2018, Fellows cycled up to and shot Kinsella. The data stored on Fellows’ Garmin watch was vital in helping prove he had committed the offence.
The 2015 investigation conducted by Greater Manchester Police into the Massey murder had stalled until the Kinsella evidence was uncovered by Merseyside Police. When they accessed Fellows’ Garmin Forerunner watch (which had GPS capabilities) it showed that before the Massey murder, the wearer had travelled a route to the area where that murder took place on 26 July 2015.
The jury were told this key piece of evidence showed a “reconnaissance run”. The GPS data revealed that Fellows had indeed taken a route that took him near the scene around the time of Massey’s murder. The speed and time at which the GPS tracked Fellows movements from his home to Massey’s suggested that he was on a bike, as he was for Kinsella’s three years later.
This case highlights the critical role that Garmin smartwatch data can play in legal and investigative contexts, providing detailed and objective evidence that can significantly impact the outcomes of cases.
Privacy
Garmin devices do not universally employ robust encryption for the data stored directly on the physical device. This means that if a Garmin smartwatch is lost or stolen, the data can potentially be accessed by simply connecting the device to a computer, as it often appears as a USB drive.
Smartwatch privacy comparison
Garmin
Garmin smartwatches store data in .FIT files, which can be accessed by connecting the device to a computer, where it appears as a USB drive. This data includes activity logs, GPS data, sleep data, and device information. However, Garmin devices generally lack robust encryption for data stored directly on the device. Users can sync their data to the Garmin Connect app for secure cloud storage. The types of data stored on Garmin devices include activity data such as heart rate, speed, pace, and power, as well as GPS data, sleep data, and device settings.
Fitbit / Google
Fitbit devices store data in proprietary formats, accessible through the Fitbit application. Data can be exported in various formats, including CSV. Fitbit employs encryption for data stored on the device and during transmission to the Fitbit app, ensuring secure storage in the Fitbit cloud. The data stored on Fitbit devices includes activity data like steps, heart rate, and calories burned, sleep data, GPS data for models with built-in GPS, notifications, messages, and health metrics such as SpO2 and ECG for certain models.
Apple
Apple Watch data is primarily accessed through the health app only on iOS devices, with data exportable in XML format for further analysis. Apple Watch uses end-to-end encryption for data stored on the device and in iCloud, with strong security measures including biometric authentication and device passcodes. The types of data stored on Apple Watch include activity data like steps, heart rate, and calories burned, GPS data, health metrics such as ECG and blood oxygen levels, notifications, messages, sleep data, and environmental data like noise levels.
Samsung
Samsung Galaxy Watch data is accessed through the Samsung Health app, with data exportable in various formats, including CSV. Samsung employs encryption for data stored on the device and during transmission to the Samsung Health app, with secure storage in Samsung Cloud and additional security features like Knox security.
The data stored on Samsung Galaxy Watch includes activity data like steps, heart rate, and calories burned, GPS data, health metrics such as ECG and blood pressure for certain models, notifications, messages, sleep data, and environmental data like UV levels.
In summary, Garmin allows direct access to data via USB, while Fitbit, Apple and Samsung watches primarily use their respective apps for data access and thus offer stronger encryption and security than their Garmin counterparts.
Advice
To mitigate the risk of unauthorized data access, users can take several precautions.
Sync your watch
Firstly, they should regularly sync their smartwatch with the Garmin Connect app, which stores data securely in the cloud. This ensures that even if the device is lost, the data remains accessible and secure online.
Set Passcode or PIN
Secondly, users can enable any available security features on their smartwatch, such as setting a PIN or passcode if the device supports it. This adds an extra layer of protection, making it more difficult for unauthorized users to access the data.
Keep it safe
Additionally, users should be cautious about the physical security of their devices. Keeping the smartwatch in a secure location when not in use and being mindful of its whereabouts can help prevent loss or theft. If a device is lost or stolen, users should immediately unlink it from their Garmin Connect account and change their account passwords to prevent any potential misuse of their data.
