-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-023 Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.0808.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Use of a Broken or Risky Cryptographic Algorithm (CWE-327) Risk Level: Medium Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32876 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to missing implemention of LE Secure Connections, the Bluetooth Low Energy (BLE) communication is vulnerable to passive sniffing attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS PACE 3, is set to "0" due to the "Just Works" pairing method (see SYSS-2025-024[2]). An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By establishing a connection to a COROS PACE 3 and initiating the pairing process while analyzing the Bluetooth communication—for example, using Wireshark—the following behavior can be observed: SMP Pairing Request of a client: AuthReq: 00.. .... = Reserved: 0x0 ..1. .... = CT2 Flag: True ...0 .... = Keypress Flag: False .... 1... = Secure Connection Flag: True .... .1.. = MITM Flag: True .... ..01 = Bonding Flags: Bonding (0x1) SMP Pairing Response of the COROS PACE 3: AuthReq: 00.. .... = Reserved: 0x0 ..0. .... = CT2 Flag: False ...0 .... = Keypress Flag: False .... 0... = Secure Connection Flag: False .... .0.. = MITM Flag: False .... ..01 = Bonding Flags: Bonding (0x1) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-024.txt [3] SySS Security Advisory SYSS-2025-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-023.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] CVE-2025-32876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32876 [6] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEZYACgkQrgyb+PE0 i1Nh1hAAoWlgqsPCrk9xiEQORkEnDjmFFbAqI7supdN3fCKl77rT56OTG4FO8efA KbFW6Hyk4wPlNOItPnoi3SDlwsKz9Bf6CCaaozSPcwb01Ka+Mz1rA2irLkmtvN/f CPC33OPRTdn/YNLqw5ouYbfQW93sFDsAd2c+6Ahr+0A+FhHZK9N8q4VWROU+ZAbQ 4qCFsMCEyhfBlKCMoloLkuI4NwRXTQqhstnJ8sE88mTkjqegMmlWwd4oNs+s2KD2 ECLK8d5ghhSdLpPvCzUPaUdN8mSilJBvUySS19xelynVKgG42QkapJHDE+RpMbTC v0NpZ+uvzEuysLwP89eydEKDYKdKAbJSSL5/RzJtrzjHaS6pIaorlLkkRldM84ek CZZYXjW0/JuKXlkdahKtKPUWr3PBsqlArfryANx/7kwD1RWpvf9uwZmzoo6y+evM MTKyLKiSD6793AscAwGkJQl+BRf2i0BDcJ9pCh3PJf0drg9l7lDbhm1WvYUgN0zz zSagsl1WuqrDPKlAkWVx645UW706qXpMfMWYFI5HHYyVh1NmYIREGkwiIvVtfJSN y52yqG/oDeQMdXvz4E6zye/XSlDYhwsYGVA6EuPHCfOcTTzsWhNzchU1hL67W2p2 vEagKkP4y40l1/q4MXLhR2h+F6P9yLxipkR7XuMpVN9iDo8XG0c= =O35k -----END PGP SIGNATURE-----