During workouts internet connection is only through bluetooth to the companion app and by this somewhat regulated, but for updates, offline music storage and the like most also have wifi.
Tangent: that bluetooth uplink comes with some bewildering differences for those monkeyC apps, e.g. a request started to be consumed as json will happily talk to localhost on the companion app's host. A request started to consume a navigation itinerary will also do, except when the host isn't on the internet, then it fails to read localhost.
They get access to the internet via the Garmin Connect companion app. But if you're asking to know if they can be exploited from the internet, that's not what we showed yeah.
The vulnerabilities we've disclosed require a malicious app to be installed (e.g. from the CIQ app store) so let's not cry wolf.
What I think this project highlights and what we should remember is the current level of security of Garmin devices.
GarminOS deploys none of the security mitigations one would expect in modern devices (let's exclude crappy IoT devices flooding the market). No stack canaries, no W^X, etc. It does not implement isolation between user-supplied code and the rest of the OS either. And their C code base does not appear to receive much scrutiny in terms of security review.
It would be much easier to exploit the watch (e.g. sending a malicious message to the user's phone that sends it to the watch to show the notification) than exploit the user's smartphone. And this could be performed from the internet.
It's not something I've encountered yet so I don't have any insight to share. I would be surprised if they were secured differently but I'm purely speculating here.
Tangent: that bluetooth uplink comes with some bewildering differences for those monkeyC apps, e.g. a request started to be consumed as json will happily talk to localhost on the companion app's host. A request started to consume a navigation itinerary will also do, except when the host isn't on the internet, then it fails to read localhost.