-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-024 Product: COROS PACE 3; other models might also be affected [8] Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.1008.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Improper Authentication (CWE-287) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-03-14 Solution Date: July/August (see vendor notes[8]) Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32877 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to the use of the "Just Works" pairing method, the Bluetooth communication is vulnerable to machine-in-the-middle attacks. Furthermore, it allows unauthorized attackers to initiate a pairing with the COROS PACE 3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 identifies itself as a device without input or output capabilities, which results in the use of the "Just Works" pairing method. This method does not implement any authentication, which therefore allows machine-in-the-middle attacks. Moreover, this lack of authentication allows attackers to interact with the COROS PACE 3 via Bluetooth Low Energy (BLE) without requiring prior authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By establishing a connection to a COROS PACE 3 and initiating the pairing process while analyzing the Bluetooth communication—for example, using Wireshark—the following behavior can be observed: SMP Pairing Request of a client: IO Capability: Keyboard, Display (0x04) SMP Pairing Response of the COROS PACE 3: IO Capability: No Input, No Output (0x03) By using tools and frameworks such as MIRAGE[4] or WHAD[5], this circumstance can be easily exploited: # Set up a BLE proxy which connects to the COROS PACE 3, spoofs its address and forwards every GATT message: $ wble-proxy -i hci1 -p hci0 -s f7:af:1d:27:03:b0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to vendor note [8], the vulnerability was addressed in patches for several devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure 2025-08-06: The vendor notified us of updates to the security patch notes 2025-08-11: Advisory update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-024.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] MIRAGE GitHub repository: https://github.com/RCayre/mirage [5] WHAD GitHub repository: https://github.com/whad-team/whad-client [6] CVE-2025-32877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32877 [8] Vendor notes about the vulnerability and security patches: https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3ZwACgkQrgyb+PE0 i1Oaeg//eG68BfyMHoZYAeZHEq2IIdkO/aaeyPLPLMAu+maTDdQ1Quvl6bXZrAeR xjle81VXmcIOkCpPyaYqfRYxmvegEqEuy76ePeoFFdButy5ghIrOmy+qvrb6pL1r GQBwTZteVzCbQgWY/cyGn6Gm3l1r07pyK+fh9WFfEpvgwBHVYBdXK8Q1nl34lWJj rCyy6LwLXIfeY6zKK6/RD9YXX2uF1uKkWmG+fLphrPYMQBBB4tLNFR/8uJnSC4Hx IXlfj6KaKOTQYMz9M+TPAn89eBgLkH+nA0xHWAMUttjcSVUX1p9blaRPn2qCR+kN CdKN1gQhQUokgPFl31jAqp9pr1eypCmFIgmSNrFpJBEhTWxopmDBCSlHrbSiiN12 YmLRnH1Ej50Mh+XamE8Ji70JQ1Yw2yS74H+B86mCFm+djlN7nt2JagXC/KTNssL7 8MYX6WeuWdHDxyQlDCY38Cn/YefvP9Uz9GEa5LsZnJooFRFoLZITX2Q1hprioqjj k/csIsezx8JMvbOZNnKgLZaSe6t5WIIPY2H7lyAnJJlXhIVxoSMomZyZO0Tv7h0o z6YlyVdB28WOCvaMAnfdHGrh3XScx97DzWyJyt/5MDY3gQq3cgDHAANvQMOiSH6j GyJSN3Ikn6iSgYLharUwu/UxpRBmviIeiQR3KSHpvnQ+egCUSc4= =crb+ -----END PGP SIGNATURE-----