CVE-2023-23304 – This vulnerability in Garmin's Connect IQ platf... (How to Fix)

Q: What is the severity of CVE-2023-23304?

CVE-2023-23304 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Garmin's Connect IQ platform allows malicious applications to access sensor history data without user permission. It affects Garmin devices running CIQ API versions 2.1.0 through 4.1.7, potentially exposing sensitive health and activity information stored in sensor history.

📋 TL;DR

This vulnerability in Garmin's Connect IQ platform allows malicious applications to access sensor history data without user permission. It affects Garmin devices running CIQ API versions 2.1.0 through 4.1.7, potentially exposing sensitive health and activity information stored in sensor history.

💻 Affected Systems

Products:

Garmin smartwatches, fitness trackers, and other devices running Connect IQ apps

Versions: CIQ API versions 2.1.0 through 4.1.7

Operating Systems: GarminOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the TVM component that handles application permissions. All devices with affected CIQ API versions are vulnerable by default.

📦 What is this software?

Connect Iq by Garmin

View all CVEs affecting Connect Iq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app collects comprehensive sensor history including heart rate, GPS locations, activity patterns, and other biometric data, enabling detailed user profiling and privacy violations.

🟠

Likely Case

Malware disguised as legitimate fitness app harvests sensor data for targeted advertising, data resale, or unauthorized monitoring of user activities.

🟢

If Mitigated

Limited data exposure if users only install trusted apps from official store and device has minimal sensor history stored.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to install a malicious Connect IQ app. The vulnerability bypasses permission checks rather than requiring authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CIQ API 4.1.8 and later

Vendor Advisory: https://developer.garmin.com/connect-iq/api-docs/Toybox/SensorHistory.html

Restart Required: Yes

Instructions:

1. Update Garmin device firmware through Garmin Express or Garmin Connect mobile app. 2. Ensure device restarts after update. 3. Verify CIQ API version is 4.1.8 or higher in device settings.

🔧 Temporary Workarounds

Restrict app installations

all

Only install Connect IQ apps from trusted sources and official Garmin store

Disable unnecessary sensors

all

Turn off sensors not actively needed to limit available data

🧯 If You Can't Patch

Uninstall all third-party Connect IQ apps until device can be updated
Factory reset device and avoid installing any Connect IQ apps

🔍 How to Verify

Check if Vulnerable:

Check CIQ API version in device settings: Settings > System > About > CIQ API Version. If version is between 2.1.0 and 4.1.7 inclusive, device is vulnerable.

Check Version:

No CLI command - check via device settings menu

Verify Fix Applied:

Confirm CIQ API version is 4.1.8 or higher after update. Test with legitimate app requiring SensorHistory permissions to ensure proper permission prompts appear.

📡 Detection & Monitoring

Log Indicators:

Unusual SensorHistory API calls without corresponding permission grants in app logs
Multiple apps accessing sensor data with similar patterns

Network Indicators:

Unexpected data exfiltration from device containing sensor data patterns

SIEM Query:

Not applicable - primarily local device vulnerability

📊 Metadata

CVE ID: CVE-2023-23304

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: May 23, 2023

Last Updated: January 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23304, you might also want to check these: