What you need to know
- A report from SySS GmbH, a German IT brand, indicates that the COROS PACE 3 has "several significant vulnerabilities allowing an unauthenticated attacker within the Bluetooth range" to access your data.
- The PACE 3 and other COROS watches can be forced-paired to another phone using a legacy Bluetooth "Just works" connection.
- With access, the hijacker can see your data, reset or reconfigure your device, read your phone notifications, or even send you fake messages.
- COROS's CEO has acknowledged this is a "system-level issue" and that they intend to begin addressing them before the end of July.
COROS watches are a popular alternative to fitness brands like Garmin, with affordable pricing and long battery life. But an IT exposé from SySS GmbH has revealed a major security vulnerability, and COROS has been slow to acknowledge and address it.
According to the report, the COROS PACE 3 does not properly authenticate or encrypt the Bluetooth connection between your watch and phone, bypassing the "Secure Connections" tool introduced in Bluetooth 4.2 for a simpler connection.
A hijacker can exploit this vulnerability and force-pair to your watch if it becomes disconnected from your phone at any time, letting them perform these actions:
- "Hijacking the vicitim’s COROS account and accessing all data
- Eavesdropping sensitive data, e.g. notifications
- Manipulating the device configuration
- Factory resetting the device
- Crashing the device
- Interrupting a running activity and forcing the recorded data to be lost"
Your COROS account could show info like where you typically start your runs, as well as login details. But the notification access seems particularly frightening, as they can "eavesdrop" on every notification your connected phone receives. They can even "inject" fake notifications onto your watch using a Python script.
The attacker could also go to a race event and factory-reset every COROS watch in the area remotely, without the victims being able to determine who is doing it.
Interestingly, the SySS GmbH report notes that hijackers' access is easier with connected Android phones. iOS encrypts the Bluetooth connection at the system level, but with Android, the watch skips the "AuthReq" step and simply pairs, so the connection is "neither encrypted nor authenticated" by default.
All a hijacker needs to do is "wait for an Android phone with the COROS app installed to come into Bluetooth range." After that, "any ongoing BLE connection between an Android phone and the watch can be intercepted, sniffed, or tampered with, making attacks far more practical and harder to detect."
Update: A COROS rep shared the company's Bluetooth Security Vulnerability Statement, which clarifies that this hacking attempt will need to be within "30 feet" and that Android users should force-quit the COROS app when not in use, which "prevents notifications from being passed to the watch in rare attack scenarios." They also recommend you set up a new COROS device "in a non-public setting."
How COROS is addressing the security risk
According to DC Rainmaker, SySS GmbH reported these vulnerabilities to COROS starting on March 14, 2025. It continued to provide more information and ask COROS for a response; eventually, on April 15, COROS responded that their "fix for the vulnerability is planned for the end of the year (2025)."
Maker followed up with COROS in late June, and its CEO, Lewis Wu, clarified that while the report focused on the PACE 3, the "Bluetooth stack is largely shared across our watches, so these vulnerabilities apply broadly to most COROS devices." This includes the COROS DURA bike computer and all recent watch models like the PACE Pro.
Wu also addressed the seeming lack of urgency to these major issues:
When we were notified, we started working on the issues but I have to admit the priority should have been higher. It’s a learning for COROS to prioritize security related problems. We had responded to the individual who reported these concerns with an over-simplified answer of “before the end of 2025″, but should have been more specific on the timeline with each item rather than speaking in broad terms and stated these will be fixed long before the end of this year.
According to Wu, COROS hopes to resolve four vulnerabilities related to "pairing of Bluetooth devices" before the end of July, and then the "ones tied to the encryption of communication to the device" before the end of August, updating each COROS device "one by one."
COROS' support page clarifies that the PACE 3 and Pro, APEX 2 and 2 Pro, VERTIX 2 and 2S, and DURA will receive the fix by end of July, while older devices (the PACE 2, APEX 1, and VERTIX 1" will receive it "shortly after."
This security vulnerability should give fans of Android watches or Apple Watches a new appreciation for their monthly security updates, resolving any issues promptly. For smaller fitness brands, they may not have the same resources or QC, nor the same scrutiny.
We're relieved that COROS is kicking this fix into high gear, while also wishing that it had shown more urgency initially in protecting its customers' data.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
