-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-030 Product: COROS PACE 3; other models might also be affected [8] Manufacturer: COROS Wearables, Inc. Affected Version(s): <= V 3.1008.0 Tested Version(s): V 3.0808.0 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-03-14 Solution Date: July/August (see vendor notes[8]) Public Disclosure: 2025-06-17 CVE Reference: CVE-2025-32878 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The COROS PACE 3 is a professional GPS sport smart watch. The manufacturer describes the product as follows (see [1]): "Improving on its legendary predecessor in every way, PACE 3 packs an even more powerful punch. Track your training and recovery with a watch that's lightweight and comfortable, with advanced technology, outstanding data accuracy, and backed by the industry-leading COROS training software system. The COROS PACE 3 paves the way to discover your potential." Due to improper X.509 certificate validation, the HTTPS communication between the COROS PACE 3 and the back-end API can be eavesdropped on and manipulated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The COROS PACE 3 implements a function to connect the watch to a WLAN. This function is mainly intended for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end API. However, the X.509 server certificate within the TLS handshake is not validated by the COROS PACE 3. This allows an attacker within an active machine-in-the-middle position using a TLS proxy and a self-signed certificate to eavesdrop on and manipulate the HTTPS communication. This could be abused, e.g., for stealing the API acccess token of the assigned user account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Create a self-signed X.509 certificate in combinition with a TLS proxy, e.g. stunnel[4] or certmitm[5], and redirect the intercepted HTTPS traffic through this proxy. Afterwards, the HTTP communication of the COROS PACE 3 can be extracted and manipulated: POST /coros/ota/query HTTP/2 Host: apieu.coros.com Accept: */* Accesstoken: 0J9JU63JT [redacted] Content-Type: application/json Yfheader: {"language":"de", "clientType":"3"} Content-Length: 223 Connection: Close { "firmwareType": "COROS W331", "firmwareVersion": "V 3.0808.0", "releaseType": 3, "systemType": 3, "queryType": 0, "appVersion": "9999.9999.9999", "deviceid": "7A8F48", "mac": "93:03:27:1D:AF:F7", "uuid": "ED208D03271D", } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ccording to vendor note [8], the vulnerability was addressed in patches for several devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-10: Vulnerability discovered 2025-03-14: Vulnerability reported to manufacturer 2025-03-14: Confirmation of receipt received 2025-03-17: Asked the manufacturer for an update 2025-03-31: More information provided to the manufacturer 2025-04-07: Asked the manufacturer for an update 2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again 2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025) 2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution 2025-06-17: Public disclosure 2025-08-06: The vendor notified us of updates to the security patch notes 2025-08-11: Advisory update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] COROS PACE 3 product website https://eu.coros.com/pace3 [2] SySS Security Advisory SYSS-2025-030 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-030.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] stunnel website: https://www.stunnel.org/ [5] certmitm GitHub repository: https://github.com/aapooksman/certmitm [6] CVE-2025-32878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32878 [7] Detailed blog post: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/ [8] Vendor notes about the vulnerability and security patches: https://support.coros.com/hc/en-us/articles/38933102526996-Bluetooth-Security-Vulnerability-Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail: moritz.abrell@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmiZ3bcACgkQrgyb+PE0 i1MWoA//TA4Px1LmHwZibbsFdQXjeBIrNlnFf7SCpAbmey7AXK3Fzj1B0D7x2GG5 VLzj2pfmTTM+GHJhYwB0nPgKb7VLK81KhJJCQX+gE8i/PfRqcZ7RF3aj09sHyfnA T/Rn5yaGAOgG2a/LFBNX0HPZHS02XCwQkRXxgrY0cnwErLp0PWQt0Jdscv47dObJ 3mLMt8GSq58xempnKI2NKBcUjqq/spRp3xHyvFQdXSiILLEAr3f0IS06Jtn6gmG9 p0ZqN4hlafGzBN+JRXlIN2zKTtlF6yf7j4XRB26qqw/16H2+u3iqa0MXj8WbnrTi BnNYpWh2x9zgIGrsWdrCXfeB175v/jTePiSpJ7zt7ToRLAS0ozob3FsfFTEQJAhG kwyqOT4L+w0tC/X+dOzWR92sHDdTZ25wXzJlfTj9maKYiSo2F9+0jPDWesgTmW+q hHrdmFtIvnRtzsV/rsylkNAu2PBuSnQ/3i1C6HX00JNCDY3o9uR1v8CUVziIZOys flVdpRNXKJwJpe7eqMvZ7PsTz8Xoqv01yn0W0AEDM+IO+4qBnfSDQKqF/i6JzwAc fXP5IN9QHTZNWjajlOJ4wh9OOwtHVeCq83fq/PW8xso2al0l5Olu4rpdsL2OZpHZ a02uoYUiottaOTG+RmSwdoliWjRk5uBvgojlDgOAaNtNLWYXlZQ= =dfqi -----END PGP SIGNATURE-----