COROS PACE 3 Improper Certificate Validation Vulnerability Allowing HTTPS Communication Manipulation

A vulnerability exists in the COROS PACE 3 smartwatch, specifically in versions through 3.0808.0, due to improper validation of X.509 server certificates during the TLS handshake. This flaw enables an attacker in an active man-in-the-middle position, using a TLS proxy with a self-signed certificate, to intercept and manipulate HTTPS communications between the watch and the back-end API. The vulnerability could be exploited to steal the API access token associated with the user's account.

Impact

Exploitation of this vulnerability allows for interception and manipulation of HTTPS communications, including the theft of API access tokens from the user's COROS account.

Reproduction

To reproduce this vulnerability, create a self-signed X.509 certificate and use a TLS proxy, such as stunnel or certmitm, to intercept and redirect HTTPS traffic from the COROS PACE 3 watch. Once the traffic is routed through the TLS proxy, the intercepted HTTP communication can be extracted and manipulated. For example, the watch's firmware query can be altered or the API access token can be extracted.

Remediation

COROS has been notified of this vulnerability and plans to release a fix by the end of 2025.