Exposed: Coros Users Face Hijack Risk from Bluetooth Flaw

https://open.spotify.com/episode/7husXYX7LCoitX4FbHeMjm?si=kz3ocF8WSHiv6BNZNIWRbg Exposed: Coros Users Face Hijack Risk from Bluetooth Flaw via: @Aidstation, thank you A recent security analysis of the COROS PACE 3 sports watch by the SySS security company has unveiled several significant Bluetooth vulnerabilities, raising serious concerns about your data and device integrity. The findings suggest that COROS's implementation of Bluetooth security rates highly on the "not good" scale, particularly impacting those on the Android platform, and has led to a community outcry on Reddit for immediate action. While COROS has reportedly communicated with the security researchers, some identified issues remain, and there are no plans for a fix. Indeed, COROS explicitly states that it has no plan to resolve this issue. Wide Range of Attack Scenarios The SySS analysis, titled "Watch Out! Bluetooth Analysis of the COROS PACE 3," highlighted multiple critical vulnerabilities that allow an unauthenticated attacker within Bluetooth range to perform various malicious actions. These include: Hijacking the victim's COROS account and accessing all data. This is especially concerning as sensitive user data, including API keys (accessToken) are transmitted from the phone to the watch every time it connects. An attacker can emulate a fake COROS watch to steal this API key, gaining access to profile and activity data. Of course, some Coros owners don't care about others seeing personal fitness data, but others do. Eavesdropping on sensitive data, such as notifications. The watch displays notifications from apps like WhatsApp or iMessage, and their content can be sniffed due to unencrypted communication. Manipulating the device configuration. Attackers can reconstruct message structures like the "Do not Disturb" (DnD) function and inject commands to alter watch settings. Factory resetting the device. An attacker can remotely trigger a factory reset, causing the watch to restart with default settings and potentially lose all recorded activity data. This can be particularly disruptive during a race. Crashing the device. Specific data payloads can cause the watch to crash and immediately reboot, even during an ongoing activity, leading to complete data loss. These crashes stem from vulnerabilities like a NULL pointer dereference (CWE-476) and an out-of-bounds read (CWE-125). Interrupting a running activity and forcing the recorded data to be lost. https://the5krunner.com/2023/08/29/coros-pace-3-review/ Fundamental Flaws in Bluetooth Implementation. The root cause of these issues lies in fundamental security omissions in the COROS PACE 3's Bluetooth Low Energy (BLE) implementation. The watch allows access to all exposed characteristics without requiring the connecting device to be paired or bonded whenever it is not connected to its paired mobile phone. This creates an easily exploitable attack surface in public environments. The COROS PACE 3 also identifies itself as having no I/O capabilities, which forces the use of the insecure "Just Works" pairing method. This method offers no protection against adversary-in-the-middle (AITM) attacks. Furthermore, the watch does not support "Bluetooth Secure Connections," a more secure pairing method introduced in Bluetooth 4.2, instead falling back to older, less secure legacy pairing based on Short-Term Keys (STK). Disparate Security for iOS and Android Users. A critical distinction in security posture was observed between the COROS iOS and Android applications. When an iOS device initiates setup, the watch triggers a BLE pairing process. However, an attacker can silently bypass or downgrade this process, leading to unencrypted communication. The security of BLE communication with iOS devices is thus dependent on the integrity of the initial pairing. In stark contrast, when an Android device is used, the watch completely skips the pairing and bonding step; no authentication request (AuthReq) is sent. This means communication between the Android app and the watch is neither encrypted nor authenticated. Consequently, an attacker does not need to be present during the initial setup, as any ongoing BLE connection can be intercepted, sniffed, or tampered with, making attacks far more practical and difficult to detect. This behaviour is likely due to iOS enforcing bonding for Bluetooth notifications at the operating system level, a restriction that doesn't exist in the same form on Android. Even if the COROS PACE 3 is manually paired on an Android device using third-party tools, the official COROS app continues to communicate unencrypted. Coros New Feature: Remote Initiated Factory Reset of your watch by someone else...literally COROS's Response: An Unsettling Reality According to a Reddit user, the reporter who published the security analysis contacted COROS and conversed with them. While some vulnerabilities were given timelines for resolution (some "this month," others "end of year"), one vulnerability has no plan for a fix. This revelation fuels the concern that COROS may disregard specific critical security flaws, particularly given the severity of potential account takeovers and data loss. Users on Reddit have expressed significant alarm, with one remarking, "Lol, so there is no security at all (when you're using an Android phone)? Everyone in Bluetooth range can hijack your COROS account, get access to all your activities, and do everything with the watch you could do from the companion app". Another user suggested that COROS implement an option to disable Bluetooth, a feature already in some Garmin watches. The SySS security company reported all found vulnerabilities to COROS through their responsible disclosure program. At the time of the publication of their analysis, "not all vulnerabilities have been resolved". This situation leaves many COROS PACE 3 users, especially Android users, vulnerable to significant security risks. https://the5krunner.com/2024/11/13/coros-dura-review-specifications-opinion/ Take Out These are significant security vulnerabilities. I would suspect that the different methods required to implement Bluetooth on iOS vs Android meant the company must have been partially aware of some of these issues for some time and has done nothing about it. The Bluetooth stack is largely shared across our watches, so these vulnerabilities apply broadly to most COROS devices. [L. Wu CEO, via dcrainmaker] Many of us, me included, might scoff, "I don't care if someone gets my heart rate data". However, these vulnerabilities go significantly beyond that. A malicious actor could crash devices at large events, or another malicious actor could spy on your messages and notifications. I very strongly suspect that many of us who don't mind others seeing our sports data DO mind about our message being snooped on. ...we were initially notified earlier this year (around 82 days ago)...I have to admit the priority should have been higher. [L. Wu CEO, via dcrainmaker] In my opinion, this 'just make it work' type of implementation is found in other areas of the Coros ecosystem. You have to question if your 'Training Readiness' or any of the different insights have been 'made to work' without considering doing it correctly. C'mon, coros, get your act together. Sources: Researcher: Moritz Abrel, Syss Original Report: syss.com