-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-030 Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.0808.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: Medium Solution Status: Not yet fixed Manufacturer Notification: 2025-03-14 Solution Date: N.A. Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32878 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to improper X.509 certificate validation, the HTTPS communication between the COROS PACE 3 and the back-end API can be eavesdropped on and manipulated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 implements a function to connect the watch to a WLAN. This function is mainly intended for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end API. However, the X.509 server certificate within the TLS handshake is not validated by the COROS PACE 3. This allows an attacker within an active machine-in-the-middle position using a TLS proxy and a self-signed certificate to eavesdrop on and manipulate the HTTPS communication. This could be abused, e.g., for stealing the API acccess token of the assigned user account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Create a self-signed X.509 certificate in combinition with a TLS proxy, e.g. stunnel[4] or certmitm[5], and redirect the intercepted HTTPS traffic through this proxy. Afterwards, the HTTP communication of the COROS PACE 3 can be extracted and manipulated: POST /coros/ota/query HTTP/2 Host: apieu.coros.com Accept: */* Accesstoken: 0J9JU63JT [redacted] Content-Type: application/json Yfheader: {"language":"de", "clientType":"3"} Content-Length: 223 Connection: Close { "firmwareType": "COROS W331", "firmwareVersion": "V 3.0808.0", "releaseType": 3, "systemType": 3, "queryType": 0, "appVersion": "9999.9999.9999", "deviceid": "7A8F48", "mac": "93:03:27:1D:AF:F7", "uuid": "ED208D03271D", } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-030 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-030.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] stunnel website: https://www.stunnel.org/ [5] certmitm GitHub repository: https://github.com/aapooksman/certmitm [6] CVE-2025-32878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32878 [7] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmhQEjMACgkQrgyb+PE0 i1Md1hAAiKXR0XVt9FhPvc9Zf9ZjVcq+YliGOPn6PR0ZmFOt2whBsLelXOMrHC7T 4Vo4uDUEzY4l8b8xvCv4j0rPm1Z5BQnsvI2armZ7176zTMJOJR4GM03jkNYGjRcw jFTAvqAaNi+VrbHkrokotK1XdQjBbPa8u4YWsqvHX5p0Q55m2cL7LsuTUf1DJboh r/7TcPwNmfOxMn3s5HfUQAU8OkezkQa5y9dT38y3uoPsg7GV6xBXd4vvesd/hd70 bnyl8FcN57di6spFq9RmVACs1hTwkG5opg1xkBL66D3rj1ZCWuWC1zXbKNzz+t8K it5LcPuC7XoLsqH1gy5jHgNJ6Y460+hOl27RVlueF9ecjYZ6zUrB3L9czSlHb8yK tQ1/rZGE4uWq0FGaPwISwXAl3AXDf+CJA94RYuEl2OJeWMC7Dr3RU3g4Bzxu2YvJ 99FC4YVcE+kQmtWbK9lzZQ20hOQM2fKx3ejt8BAW2dz18W0G+FtIj7KxVQ6z330H Fd10u1HA76i/DUaTOvWBtHtRMpfwRgxPd7Lahi8XmRzMi0i5tuJzdXpIMrXuseDk azF+TF8oTWcgXaLNbtQXKT5c2NpVuXpA2Xxu1hyWRml0FIoHtIci9K8VIAnbYupC JtPenxmtkiP153B3bG8M6tX0rZ9kQzdBteBIf6MTvjIY6oAQ7do= =Klp3 -----END PGP SIGNATURE-----