Keep your data at your wrist: A cybersecurity assessment on sportwatches and connected devices

Sportwatches and fitness trackers have evolved from military instruments into widely adopted personal devices capable of collecting extensive health, fitness, and personal data. The growing sensitivity of these data, combined with rapid market expansion, makes the security assessment of such devices an increasingly pressing concern. This thesis presents a security analysis of the Garmin sportwatch ecosystem performed in two main areas. The first focuses on two Garmin sportwatches, building on previous works in malicious application development and Bluetooth Low Energy (BLE) vulnerability research. Motivated by a user survey, we investigate an underexplored threat scenario such as the second-hand life-cycle of these devices. We will demonstrate that sensitive user data can be leaked not only via Hypertext Transfer Protocol Secure (HTTPS) requests to remote servers, but also through Garmin’s proprietary Adaptive Network Topology (ANT) wireless protocol during close-range communication. The second area examines external sensors that can be connected to these watches, extending the vulnerability surface of the overall ecosystem. Specifically, we conducted a black-box security analysis of a Campagnolo electronic gear shifting system alongside its companion Android application, identifying several security vulnerabilities. Together, these findings contribute to the growing body of ethical hacking research aimed at responsibly disclosing and addressing security weaknesses in consumer wearable technology.