-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-023 Product: COROS PACE 3; other models might also be affected [7] Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.1008.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Use of a Broken or Risky Cryptographic Algorithm (CWE-327) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-03-14 Solution Date: July/August (see vendor notes[7]) Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32876 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to missing implemention of LE Secure Connections, the Bluetooth Low Energy (BLE) communication is vulnerable to passive sniffing attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS PACE 3, is set to "0" due to the "Just Works" pairing method (see SYSS-2025-024[2]). An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By establishing a connection to a COROS PACE 3 and initiating the pairing process while analyzing the Bluetooth communication—for example, using Wireshark—the following behavior can be observed: SMP Pairing Request of a client: AuthReq: 00.. .... = Reserved: 0x0 ..1. .... = CT2 Flag: True ...0 .... = Keypress Flag: False .... 1... = Secure Connection Flag: True .... .1.. = MITM Flag: True .... ..01 = Bonding Flags: Bonding (0x1) SMP Pairing Response of the COROS PACE 3: AuthReq: 00.. .... = Reserved: 0x0 ..0. .... = CT2 Flag: False ...0 .... = Keypress Flag: False .... 0... = Secure Connection Flag: False .... .0.. = MITM Flag: False .... ..01 = Bonding Flags: Bonding (0x1) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to vendor note [7], the vulnerability was addressed in patches for several devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure 2025-08-06: The vendor notified us of updates to the security patch notes 2025-08-11: Advisory update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-024.txt [3] SySS Security Advisory SYSS-2025-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-023.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] CVE-2025-32876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32876 [6] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ [7] Vendor notes about the vulnerability and security patches: https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3YIACgkQrgyb+PE0 i1NwWw//U6dzHRBasJTNeN5ebd3RUVFG4Y+bdQig+shRlpJn5EtpnCS3J2yZ6xtf QM97XHNdSWjJzLRaTzOPFZLhuRZPKnqydIB0/qK320FZqNrVH27D0Q6+2129NVBK 9QqjKd959wC02zUX+CfHf3BPo3cwVmdLvp4G59ttqtjC4mqWc62eFfaQN04PKnIr +V+ltUC4wG/M5azLzvK5A+EBXdIvkpJ4yXIN+XoHl3Zc3ulAXX2q9zsWyLMqhY9u ukLqJE3jsZpLroKf7fT5sIVbowRdFCdixpLnDZGBHhtmBZeCpJO0chuoDy3XRC0Z 0DwkrIuppxggrmka6asGG4IOcrio9QLagYSFHtbGX4/l8js0LnUl3BMS1qClOJRE PIPSRQYHPts0LPD/kmFA5pwFI6hT6ULzSe9X6jrAh3zU/ipnBAJULi+9tB+6IDwE I++ZtpGfxFKhfMw5Mtvx+vCe8ux7V6R75sft+VtlQY2S7rK6KmiaW5AZU/+Ze/Qw zWWpbHpHeJmXzQsexDHSVKn6FO2Ezm+JUwGxkh3XKErbsQCymNQnebSxzqZUxgUq dKWwmRPQIwHpCtWrk9f0WQ8hYYXrex1/47UOxG10NZpaNVtN0vzqza4wRk4E3aT2 zFUaEh8Z66L3gcP+cgdTh39GO5dFvNZbhZBnH+KcguddSdPHUJQ= =b/fv -----END PGP SIGNATURE-----