-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-024 Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.0808.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Improper Authentication (CWE-287) Risk Level: Medium Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32877 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to the use of the "Just Works" pairing method, the Bluetooth communication is vulnerable to machine-in-the-middle attacks. Furthermore, it allows unauthorized attackers to initiate a pairing with the COROS PACE 3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 identifies itself as a device without input or output capabilities, which results in the use of the "Just Works" pairing method. This method does not implement any authentication, which therefore allows machine-in-the-middle attacks. Moreover, this lack of authentication allows attackers to interact with the COROS PACE 3 via Bluetooth Low Energy (BLE) without requiring prior authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By establishing a connection to a COROS PACE 3 and initiating the pairing process while analyzing the Bluetooth communication—for example, using Wireshark—the following behavior can be observed: SMP Pairing Request of a client: IO Capability: Keyboard, Display (0x04) SMP Pairing Response of the COROS PACE 3: IO Capability: No Input, No Output (0x03) By using tools and frameworks such as MIRAGE[4] or WHAD[5], this circumstance can be easily exploited: # Set up a BLE proxy which connects to the COROS PACE 3, spoofs its address and forwards every GATT message: $ wble-proxy -i hci1 -p hci0 -s f7:af:1d:27:03:b0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-024.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] MIRAGE GitHub repository: https://github.com/RCayre/mirage [5] WHAD GitHub repository: https://github.com/whad-team/whad-client [6] CVE-2025-32877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32877 [7] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEb0ACgkQrgyb+PE0 i1Pa7g//ZoyD1t+/qBRcFhxBeoYEKKS2fDjUvs6HddDITTihlLupdr8v1oMEsfY/ KHJWq2oduAbtWwxNtRQfsgXqIcIWPnGrwmuL76/5mI87lj4Blaei3BaXjwayOxPU 4mQ1U5tsYb0AtbCBsN5H+kFwWvJFykIRdHpOpeQzR30vnLs1OzI5RBzy0GFxDKDg wvmywC36BpyvCf5co1ympeTKI/9XawI2bpXXOchNlISsCS7Em7GIkQvdgMkqbLva CU9RLDsE4zfrliEo8Px2aWaH0FvmW1dlQdGTun5Y7WxBEeAfbtbdyuTUM/yipiaN viN0VRk22NSMRI2YOnTpaKxtVQN/GU4eAkO0JSP3rMqGzHr19ufqybNRMavI+Nj8 ejmHoyoxF+5lb8WmLBuCCpXiiIWwgI5Cv0LM3MfVhtfV0uyiDMKztGeKBHvew+s7 AoUZxW85M4icdmQ8lAwwbXcCNVe0hfaISvRFerU08MFgJP4bAfYw6Veah/seru0u R2psIRRXVlEByxk6Q5TLBG23STn1jp+PrV2jMoDs4/Q2rFI7GQa5vvw1IHZlWSIW GT1C3ff7p3dyiIbfXKhA14uEOC4ZRM8WM0sobR6tjJeb9BZeUIl0qBdzziTsofk9 p8ZQo4XbxbGrOVUhGadRo2KGx+Y0NJLO7WG1zX2Un+tlINsc/gQ= =yhQO -----END PGP SIGNATURE-----