-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-029 Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.0808.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319) Risk Level: Medium Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32880 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to the use of unencrypted HTTP while downloading firmware files via WLAN on the COROS PACE 3, an attacker in a machine-in-the-middle position is able to eavesdrop on and manipulate the data transferred. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 implements a function to connect the watch to a WLAN. With WLAN access, the COROS PACE 3 downloads firmware files via HTTP. However, the communication is not encrypted and allows sniffing and machine-in-the-middle attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Connect the COROS PACE 3 to a WLAN network, which is under the attacker's control. Afterwards, the HTTP communication can be eavesdropped on, e.g. by using Wireshark: Sample HTTP requests initiated by the COROS PACE 3: GET /firmware/3.0808.0-1736999005528-1662/2_gui_font_bitmap.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close GET /firmware/3.0808.0-1736999005528-1662/7_COROS_W331_system_ota.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close GET /firmware/3.0808.0-1736999005528-1662/16_cypress_bt_fw.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that currently no actions are planned to fix this vulnerability 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-029.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] CVE-2025-32880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32880 [5] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEiEACgkQrgyb+PE0 i1OZ3g/+NDO2iULxbc8fexuCtr7RuVmCDP+IqD6pcIt3LjqgC78sVY4DxxqTBh3f F0glDvWsDepEhWJnROX0Fpkwx76cfNTO8+XyA1xEyOeaScn2rN2mSqQoDm3jZKjK d8juhbvOK3qW/cHcROScn34SwSLh6tP4SRQnRSZ9puPjr9bZLaPdc6UTmjlpk2Z8 XzQZOjvPO10Cw39Jna8dXfDOujQoHzuuEXOKGdePrP6jFRXldO9V4ihiCMatg034 mJYoUgWSzWmhSTO6yMuMsVPkeK0kq1XjpkiblslH3oXcIlQW4TVLcKmmUhv+8vDl z7yt95NxB5irLTi8SXYFPEwdZNWiueYl9YoRjV7YWR4eb1zbhPKJlA3yIYX+sK7B 2tlDG/lMX+LOEUyqpykYHh9GTRM2IJ1Y1S9zg98sF0PBF/j9OW7dCJzFGDbPw9OC Ij+73hKnbqu78A4PDIALgdXhoxxYBOr6qCCrTc1CLUGtgD12v9kga50ekOJ4lJNP ItXaTVfU+3Nw6sKUek2ky3RtS80WeM9P9oWzeUtaQF7dpW9QGSbSjidHD1ARA2FB s1eHwJgDw+R+qAHYU97RUHTZEQiL2tRhRMtaafsteVTA8MDLIxlkC/TkEArfKWgW IjIjjyquz+jzH8TWIH10glUvgyniVJ15qe9qlBC5N7tIUWJGeZc= =bVor -----END PGP SIGNATURE-----