← Wearables
D

Garmin Edge 1050 Cycling Computer

Serious concerns
Garmin · 🇺🇸 United States · Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: IPH-04211
App: com.garmin.android.apps.connectmobile
Manufacturer: Garmin International Inc

⚠️ The bottom line

In July 2020, Russian hackers shut down every Garmin service for five days. Garmin reportedly paid $10 million to a group linked to Evil Corp, sanctioned by the US Treasury. Paying sanctioned entities may violate US law. Garmin never confirmed whether attackers copied user data — years of GPS tracks, home addresses, and daily routes for millions of athletes. They paid the ransom, restored services, and hoped everyone would forget. Whether Russian criminals have your cycling routes remains unanswered. In 2018, a 20-year-old Australian student discovered Strava's heatmap was revealing secret US military bases in Afghanistan — soldiers' fitness trackers drew glowing lines around classified installations. Garmin Edge data feeds identical ecosystems. Your daily commute, weekend rides, coffee stops — they paint a heatmap of your life as detailed as anything that exposed military operations. The difference is soldiers had security clearances and you have a cycling hobby. The data exposure is the same.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
1/4 LOW
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
4Contradictions
1Critical
2High
1Medium
2Sources
Findings by concern
Spying 1/4 LOW 1 finding
⚫ mediumpolicy claims vs app permissions
Garmin Connect defaults your rides to public. Your route — including where you started (home) and ended (also home) — is visible to anyone on the platform. Segments post your timing on public leaderboards. LiveTrack shares real-time GPS via a link with no password. Garmin says you control your privacy. What they mean is you can change the defaults they set to maximize exposure. Privacy is opt-in. Surveillance is opt-out. Guess which one most people never touch.

What they claim: Garmin says users control their privacy settings and data sharing.

What we found: Garmin Connect defaults rides to public. Routes including start (home) and end (home) are visible to anyone. Segments post timing on public leaderboards. LiveTrack shares real-time GPS via unauthenticated links.

Data Sharing 1/4 LOW 1 finding
⚡ highpolicy claims vs regulatory findings
Garmin doesn't "sell" your data. Instead, it "partners" with insurance companies and wellness programs offering discounts for sharing fitness metrics. Your employer buys a Garmin program. You join for the $500 insurance discount. Now your boss's insurer knows your resting heart rate, exercise frequency, and whether you actually ride that bike. Garmin didn't sell your data — your employer bought a program that happens to include it. The distinction is legal. The result is the same.

What they claim: Garmin says it doesn't sell user data to third parties.

What we found: Garmin partners with insurance companies and corporate wellness programs where fitness data may be shared. Employer-sponsored Garmin programs give insurers access to heart rate, activity levels, and exercise frequency. Garmin didn't sell your data — your employer bought a program that includes it.

Security 3/4 HIGH 1 finding
⚠️ criticalpolicy claims vs regulatory findings
In July 2020, Russian hackers shut down every Garmin service for five days. Garmin reportedly paid $10 million to a group linked to Evil Corp, sanctioned by the US Treasury. Paying sanctioned entities may violate US law. Garmin never confirmed whether attackers copied user data — years of GPS tracks, home addresses, and daily routes for millions of athletes. They paid the ransom, restored services, and hoped everyone would forget. Whether Russian criminals have your cycling routes remains unanswered.

What they claim: Garmin says it protects user data with industry-standard security measures.

What we found: In July 2020, WastedLocker ransomware (linked to sanctioned Russian group Evil Corp) shut down all Garmin services for five days. Garmin reportedly paid $10 million ransom. Never disclosed whether user data — years of GPS tracks and location history — was exfiltrated.

Honesty 2/4 MODERATE 1 finding
⚡ highpolicy claims vs app permissions
In 2018, a 20-year-old Australian student discovered Strava's heatmap was revealing secret US military bases in Afghanistan — soldiers' fitness trackers drew glowing lines around classified installations. Garmin Edge data feeds identical ecosystems. Your daily commute, weekend rides, coffee stops — they paint a heatmap of your life as detailed as anything that exposed military operations. The difference is soldiers had security clearances and you have a cycling hobby. The data exposure is the same.

What they claim: Garmin says location data is used to provide fitness and navigation services.

What we found: Garmin Connect stores complete GPS tracks with timestamps. In 2018, Strava's heatmap (built from similar data) revealed US military base locations and patrol patterns in Afghanistan and Syria. Garmin data feeds identical ecosystems. Aggregated route data reveals home, work, commute, and frequented locations.

Sources