COROS PACE 3 Cleartext Transmission Vulnerability Allowing Eavesdropping and Man-in-the-Middle Attacks
Vulnerability
A vulnerability exists in the COROS PACE 3 smartwatch, specifically in versions through 3.0808.0, due to the use of unencrypted HTTP for downloading firmware updates over WLAN. This flaw enables eavesdropping on the firmware download process and allows for machine-in-the-middle attacks, where an attacker could intercept and potentially manipulate the downloaded data.
Impact
Exploitation of this vulnerability could lead to interception and manipulation of firmware files being downloaded by the COROS PACE 3, potentially allowing an attacker to alter the firmware update process or inject malicious files.
Reproduction
To reproduce this vulnerability, connect a COROS PACE 3 device to a WLAN network controlled by the attacker. Once connected, the watch will download firmware files via unencrypted HTTP. This HTTP traffic can be intercepted and analyzed using a tool like Wireshark, revealing the cleartext transmission of sensitive firmware data.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.