COROS Android Application Bluetooth Cleartext Transmission Vulnerability

A vulnerability exists in the COROS Android application, specifically in versions through 3.8.12, related to Bluetooth Low Energy (BLE) communication with the COROS PACE 3 smartwatch. The application fails to initiate or enforce Bluetooth pairing and bonding, leaving data transmitted via BLE unencrypted. This oversight allows attackers within Bluetooth range to eavesdrop on the communication. Moreover, even if pairing and bonding are manually initiated in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This behavior can be exploited, for example, by conducting an active machine-in-the-middle attack.

Impact

Exploitation of this vulnerability allows for unauthorized interception and manipulation of sensitive data transmitted over Bluetooth Low Energy, including API access tokens, which can be captured in plaintext. The unencrypted communication could be exploited in an active machine-in-the-middle attack, where an attacker intercepts and potentially alters the data being transmitted between the Android device and the smartwatch.

Reproduction

The vulnerability can be reproduced by using the COROS Android application with a smartwatch that is not bonded via Bluetooth. After confirming that the watch is unbonded, data can be transmitted from the app to the watch. This communication will occur in plaintext, without encryption. The vulnerability can be further demonstrated by using Bluetooth interception tools such as MIRAGE, WHAD, or Sniffle, which can capture the unencrypted BLE data, including sensitive information like API access tokens.

Remediation

COROS has acknowledged the vulnerability and plans to release a fix by the end of 2025.