Each COROS smartwatch harbors a significant flaw, potentially leaking your personal information.
A recent security analysis by SySS GmbH has revealed critical vulnerabilities affecting all COROS watches, including the popular PACE 3 model. These vulnerabilities allow unauthorised access to user data, eavesdropping on notifications, hijacking of COROS accounts, and manipulation of device configurations such as factory resets or crashes [1][2][3].
The vulnerabilities stem from inadequate Bluetooth authentication and encryption, enabling attackers to force-pair devices within Bluetooth range [1]. The SySS GmbH report notes that these attacks are easier with connected Android phones, as the watch skips the "AuthReq" step and simply pairs, making the connection "neither encrypted nor authenticated" by default [4].
COROS, the watch manufacturer, has acknowledged these vulnerabilities as a "system-level issue" and is actively working on a fix. The company plans to release a firmware update by the end of July 2025 to address the vulnerabilities in models like the PACE 3 and PACE Pro [1][5].
In a statement, COROS' CEO, Lewis Wu, confirmed that the Bluetooth stack is shared across most COROS devices, implying that these vulnerabilities apply to devices beyond the PACE 3 [3]. The company has also stated that the fix for the vulnerabilities will be implemented one device at a time, with the PACE 3 and Pro, APEX 2 and 2 Pro, VERTIX 2 and 2S, DURA, and older devices (PACE 2, APEX 1, and VERTIX 1) receiving the fix by the end of July and shortly after, respectively [5].
The notification access seems particularly frightening, as the attacker can "eavesdrop" on every notification your connected phone receives [2]. These vulnerabilities allow the attacker to see user data, reset or reconfigure the device, read phone notifications, or send fake messages [2]. Any ongoing Bluetooth Low Energy (BLE) connection between an Android phone and the watch can be intercepted, sniffed, or tampered with on Android phones, making attacks far more practical and harder to detect [4].
To mitigate these risks, COROS recommends Android users to force-quit the app when not in use, set up a new device in a non-public setting, and users should be aware that the hacking attempt will need to be within "30 feet" [5].
The security vulnerabilities highlighted in this report underscore the importance of monthly security updates for smartwatches, especially for smaller fitness brands that may not have the same resources or quality control [3]. As technology continues to evolve, it is crucial for manufacturers to prioritise security measures to protect user data and device integrity.
In summary, while COROS faces significant security challenges, they are taking steps to rectify these vulnerabilities, with fixes expected to roll out soon. Users are advised to stay vigilant and keep their devices updated to ensure the best possible protection.
- Data-and-cloud-computing and technology are crucial for implementing security measures to protect user data, as demonstrated by the ongoing efforts of COROS to address the critical cybersecurity vulnerabilities found in their watches.
- The recently revealed vulnerabilities in COROS watches are a reminder of the importance of cybersecurity in data-and-cloud-computing, especially in devices like smartwatches that often store sensitive user information.
