-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-029 Product: COROS PACE 3; other models might also be affected [6] Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.1008.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-03-14 Solution Date: July/August (see vendor notes[6]) Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32880 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to the use of unencrypted HTTP while downloading firmware files via WLAN on the COROS PACE 3, an attacker in a machine-in-the-middle position is able to eavesdrop on and manipulate the data transferred. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 implements a function to connect the watch to a WLAN. With WLAN access, the COROS PACE 3 downloads firmware files via HTTP. However, the communication is not encrypted and allows sniffing and machine-in-the-middle attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Connect the COROS PACE 3 to a WLAN network, which is under the attacker's control. Afterwards, the HTTP communication can be eavesdropped on, e.g. by using Wireshark: Sample HTTP requests initiated by the COROS PACE 3: GET /firmware/3.0808.0-1736999005528-1662/2_gui_font_bitmap.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close GET /firmware/3.0808.0-1736999005528-1662/7_COROS_W331_system_ota.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close GET /firmware/3.0808.0-1736999005528-1662/16_cypress_bt_fw.bin HTTP/1.1 Host: s3eu.coros.com Accept: */* Connection: Close ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to vendor note [6], the vulnerability was addressed in patches for several devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that currently no actions are planned to fix this vulnerability 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure 2025-08-06: The vendor notified us of updates to the security patch notes 2025-08-11: Advisory update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-029.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] CVE-2025-32880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32880 [5] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ [6] Vendor notes about the vulnerability and security patches: https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3bEACgkQrgyb+PE0 i1MzxQ//QIODnXG0+E4j8pIWcE2VmbCiBt+ErNCwODdOkC/uxFuY4JDCjBcQ0RvJ U2yH0p4nZDXnxfhMNfgaSmCzbYE0frSw8ChQyeRhVZcJpTq5/cWA2NTJEw3WpxCc 5PLTYXGQCDxciS78q/JxRbhs9zF1JrE/fvKKuIrj5DiPLN4jTzMTE8fSUfJ7dxR3 /cypSU84hWufgcz9OvXd5l2fSArv7tjzBJgewhyb/X6xyDtBIerHgsxeaiqXS4TG t5JmW1sm08XWKMe8xN+Kd55Z1dOEhHxchAKB4kEIkUcZZmY3ii6r/vrqYN00o7JN fA0YZFtbWL9aPQtxw4sT7diVAi3iu5P8mhrDxvACbLDIR5atGhp16s5ekWsdy0tA RX/LMdoInfShWk5Jshpf6cb8njzec0H3QMRfqJuGloI1NICG94CzXsGQF+cdQ9FN ctYoZUg5fVQG83ApyoNmjLyNe5yVp3/moyz4tbD8YudQby8H0dHSP3bJwnBcz2ZT eciSDoQoxC/q729hdMrWL/h3VZWMHkCqE4DViXaLDawGqg+CNPHLhYGF8+K6Rpko kbi0dyPoCfticwvwhbiXQjSBsVJjQul++caY8FMquy8IqDBAiq7hP0lcGi6mQnOC 2VH0k7zdQBxMXrTd+jeHlssyUsJ5mvGfcqGJbXTpQ7JmJm+XsBU= =tMsZ -----END PGP SIGNATURE-----