COROS PACE 3 Missing Authentication Vulnerability in Bluetooth Low Energy Services

A vulnerability exists in the COROS PACE 3 smartwatch in all versions through 3.0808.0, allowing unauthorized access to Bluetooth Low Energy (BLE) services. The device advertises itself when not connected to another device via Bluetooth, enabling an attacker to connect if no other device is linked. Once connected, the BLE services and characteristics can be accessed without any authentication or security measures. This lack of protection allows an attacker to manipulate device settings, read or write data, send notifications, reset the device to factory settings, or install software.

Impact

Exploitation of this vulnerability allows for complete control over the affected smartwatch, including the ability to manipulate settings, access and modify data, and perform unauthorized actions such as factory resets or software installations.

Reproduction

The vulnerability can be reproduced by connecting to a COROS PACE 3 device that is not currently linked to another Bluetooth device. Once connected, all BLE services and characteristics can be accessed without authentication. Specific actions, such as resetting the device or sending notifications, can be performed by writing to the appropriate BLE characteristics.

Remediation

COROS has acknowledged the vulnerability and plans to release a fix by the end of 2025.