Skip to content
Llorenç Romà

Type to search…

to navigate
Esc

Garmin inReach Security: Insecure Link Design and User Data Privacy (Part I)

A privacy issue in Garmin inReach allowed enumeration of map URLs due to short, guessable identifiers — exposing messages, locations, and contact details.

Security Research 3 min read
Person in remote mountain landscape, photo by Guille B on Unsplash
Person in remote mountain landscape, photo by Guille B on Unsplash

In this post I summarize a privacy-related issue identified during independent security research on Garmin services. The issue was responsibly disclosed to Garmin, investigated by their security team, and patched prior to this publication.

The issue allowed unintended access to inReach maps due to an insecure design of the link-based access mechanism where easily guessable identifiers were used. The maps could contain private messages, location data, and contact details; the issue has since been fixed.

Note: a brief (non-complete) description of the service is given below to understand the findings.

Garmin inReach devices are designed for people who rely on satellite communication in remote environments, providing global messaging, tracking, and SOS capabilities.

An inReach user can send messages including their location with selected contacts. The recipient receives an SMS or an email. When sharing the location, the SMS or email includes a link that can be used to track the location of the sender (inReach user) in a map. The following image shows the SMS received on my phone:

SMS received after inReach user sends a message

The SMS has the format:

[message][map link][coordinates][inReach User name]

This link redirects to a map showing a pointer to the location and the content of the message.

In summary, once Garmin receives the message over satellite from the inReach user, it stores it in the backend for later showing it in the map. The following diagram shows this process conceptually:

[inReach User]
      |
      |   message + location
      v
[Satellite Network]
      |
      v
[Garmin Backend Services]-------------> [Shared Map / MapShare Page]
      |                                                 ^
      |                                                 |
      | SMS / Email / App Message with link             |
      |                                                 |
      v                                                 |
[Message Recipient] _ _ _ _ _link_ _ _ _ _ _ _ _ _ _ _ |

The map is accessible to anyone who knows its URL, which may be an intentional design choice to allow recipients to view it without creating an account or authenticating. However, the portion of the URL that identifies the map (e.g., “ABCDEF”) is a very short, easily guessable identifier, making it feasible to enumerate valid map URLs.

As a result, anyone able to guess or construct a valid map identifier could retrieve the associated map contents, which may include sensitive personal information, such as:

  • messages sent using the iReach devices,
  • recipient email addresses and phone numbers,
  • and geolocation metadata recorded when the message was sent.

After some testing, I confirmed that it was possible to enumerate valid map URLs by iterating over the short map identifier component, for example:

inreachlink.com/AAAAA
inreachlink.com/AAAAB
inreachlink.com/AAAAC

After some scripting to automate the testing and extract the data from valid URLs, I obtained multiple valid links which included:

  • Message content
  • Location of the inReach user at the time the message was sent
  • Recipient/s: phone number, email, contact name (as stored by the inReach user)
  • inReach username (most of the times the user’s Garmin profile name)

The recovered messages spanned from 2019 through the date of the testing, indicating that historical data remained accessible. With sufficient time and resources, it could have been theoretically possible to enumerate a large portion of existing maps, enabling the aggregation of messages and contact details across many inReach users.

All personal data obtained during testing was handled responsibly and deleted after the issue was reported to Garmin.

Beyond the privacy concerns caused by the exposure of message content, phone numbers, email addresses, and location data, this issue could have been used to enable a very targeted and credible phishing campaign since the contact information of the recipients often belongs to family members or close contacts such as emergency recipients, increasing the likelihood that such attacks would be trusted and successful.

This research led me to investigate another service from Garmin. I will publish the findings in another post :)

The findings were reported to Garmin and acknowledged days after and recently patched.