COROS Confirms Substantial Watch Security Vulnerablity: Says Fixes Are Coming

A German IT security firm has published a list of 8 different security bugs found in all COROS watches that give essentially full access to not only the user’s watch, but also their COROS account. This includes everything from interrupting a workout (during the workout), to resetting the device remotely, as well as accessing/downloading all your COROS.com data.

The list of security issues was originally listed to be for just the COROS Pace 3 watch; however, I have confirmed with COROS that it actually impacts all COROS devices, as all COROS watches (+ bike computer) utilize the same Bluetooth connectivity code between the watch and phone, where the issue lies.

The company outlined the issues in their post, which consolidates it down to six core gaps (as part of 8 specific security bugs):

– Hijacking the vicitim’s COROS account and accessing all data
– Eavesdropping sensitive data, e.g. notifications
– Manipulating the device configuration
– Factory resetting the device
– Crashing the device
– Interrupting a running activity and forcing the recorded data to be lost

The IT security firm researcher, Moritz Abrell, had initially discovered the vulnerabilities on March 10th, 2025, and notified COROS on March 14th, 2025. COROS immediately confirmed receipt of the issue on March 14th, 2025 as well. However, after that COROS went silent for another month, before finally responding back on April 15th, 2025 that it would fix the issues by the end of the year.

Disclosure Timeline (as outlined in Advisory):

2025-03-10: Vulnerability discovered
2025-03-14: Vulnerability reported to manufacturer
2025-03-14: Confirmation of receipt received
2025-03-17: Asked the manufacturer for an update
2025-03-31: More information provided to the manufacturer
2025-04-07: Asked the manufacturer for an update
2025-04-14: Informed the manufacturer about the assigned CVE-ID and asked for an update once again
2025-04-15: Answer received from the manufacturer; manufacturer informed SySS GmbH that a fix for the vulnerability is planned for the end of the year (2025)
2025-04-15: Receipt confirmed, and the issue was clarified once more, along with a recommendation for prompt resolution
2025-06-17: Public disclosure

As is normal for security researchers, without near-term fixes in place, the vulnerabilities were publicly disclosed on June 17th, 2025, shortly after the 90-day threshold expired. This includes the detailed reproduction steps, and code, to take advantage of each of these issues in the real world. Typically, researchers will withhold public disclosure if a manufacturer is working with them to get the fixes published in a timely manner.

While releasing these details might sound harsh to those outside the IT security world, the way COROS handled things up until yesterday was largely in line with a company that didn’t care. Saying that these massive security holes wouldn’t be fixed till the end of the year, in most security circles, would be considered jaw-dropping. After all, this wasn’t ‘just’ one minor security issue, or even one major one. It was 8 major ones that give attackers access to literally everything: The watch itself/operations, your watch data, and your COROS.com account. In addition to injecting false information sent to you, such as fake text notifications (or snooping on all of your text messages and/or notifications sent to the watch by your phone, which, for most people, is at a minimum, all text messages).

(Details from SySS, the IT Security research firm)

After a user sent me a link to the post on Friday night, I reached out to COROS to find out more. After all, this was an incredibly detailed list of issues, and it seemed like COROS mostly shrugged at them. For this e-mail, I went with the ‘cause a ruckus’ approach of including the CEO, their Head of Product Marketing & Support, their internal head of PR (Public Relations), and two more people from their external PR firm (one each in Europe and North America). In it, I had two simple questions:

1) Do these actually impact all COROS watches?
2) Why are these updates being pushed so far down the road?

Within a few hours (on a Friday night), I had received the first confirmation e-mail that they had received my note and were digging into it. Within 48 hours, I had received a long, detailed note from their CEO outlining the answers to my questions, as well as a bit more detail on how things fell apart on the COROS side.

First up, starting with the ‘which watches does this affect’ question, Lewis Wu, COROS’s CEO confirmed the following:

“The Bluetooth stack is largely shared across our watches, so these vulnerabilities apply broadly to most COROS devices. There may be minor implementation differences across models, but the underlying Bluetooth configuration is consistent. PACE 3 was the focus of the SySS report, but we are treating this as a platform-level issue and applying fixes across our product line accordingly.”

Which then gets to the next question: Why on earth are these issues not being addressed more promptly?

“You’re right that we were initially notified earlier this year (around 82 days ago). When we were notified, we started working on the issues but I have to admit the priority should have been higher. It’s a learning for COROS to prioritize security related problems. We had responded to the individual who reported these concerns with an over-simplified answer of “before the end of 2025″, but should have been more specific on the timeline with each item rather than speaking in broad terms and stated these will be fixed long before the end of this year.”

I’ll set aside the late-night mental math error on the number of days, which according to the published days should have been 107 days, but at least everything else admits something got dropped.

From there, he outlined all 8 issues, and the timelines for each. There was previously one issue which was slated for a June update, though given it’s the last day of June, I suspect that got slid into July. In turn, roughly half of the issues are now slated for a July update, and the other half in August. They are grouped into the following:

3.1, 3.2, 3.3, 4.1: By the end of July.
4.2, 4.3, 4.4, 4.5: They require deeper architectural changes and extensive validation across firmware variants. So our goal is to fix them by the end of August.

Those numbers above mean nothing to people outside COROS (or myself), and they clarified in a future update that the two groups are:

3.x List: Ones tied to the pairing of Bluetooth devices
4.x List: Ones tied to the encryption of communication to the device

He went on to say:

“In summary, we will establish a better authentication process before and during pairing COROS devices (3.1, 3.2, 3.3 and 4.1) before the end of July. The remaining issues (4.2, 4.3, 4.4, 4.5) are related to COROS Bluetooth communications during the product use, which requires a better encrypted communication. We will need to go through all the historical COROS devices and update them one by one. The end of August is an aggressive goal, but we will try our best.”

In addition, he noted:

“We want to thank you again for escalating the issues. And it’s important for COROS as a growing company to take learning from it – not only how to solve the reported problems but also how to streamline our internal procedures.”

Ultimately, at this point, users will simply need to wait for the fixes to be implemented. That said, having worked in IT and its security-related aspects as my day job before this, there’s almost always an inflection point in every company’s history where they start to take security issues seriously. Or more specifically, the reporting and management of them.

Meaning, every single software product ever created will eventually have a security bug. That’s largely the nature of software development. What matters is how a company handles that bug/issue. In this case, it seems like it was basically thrown into the larger pile of bugs to deal with, rather than being properly categorized as a security issue. Most software companies have very distinct channels for what happens when a security bug/vulnerability comes in. They typically have very specific e-mail addresses for researchers to contact, and they then have hyper-specific processes internally to ensure it gets proper visibility immediately. And further, they typically have hyper-specific processes on how to coordinate with the security researcher.

But all this usually only happens after a company screws up once. In this case, I’d guess this is the ‘once’ for COROS. As their CEO noted, they’re going to implement a host of things to ensure that future security issues are addressed efficiently (because again, all companies will have security issues eventually).

In any case, as a user, be sure that the next COROS firmware updates that come along in July and August are applied to your device, as they will definitely be important. I’m guessing COROS will probably also try and push users extra hard on this one too.

With that – thanks for reading!

FOUND THIS POST USEFUL? SUPPORT THE SITE!

Hopefully, you found this post useful. The website is really a labor of love, so please consider becoming a DC RAINMAKER Supporter. This gets you an ad-free experience, and access to our (mostly) bi-monthly behind-the-scenes video series of “Shed Talkin’”.

Support DCRainMaker - Shop on Amazon

Otherwise, perhaps consider using the below link if shopping on Amazon. As an Amazon Associate, I earn from qualifying purchases. It doesn’t cost you anything extra, but your purchases help support this website a lot. It could simply be buying toilet paper, or this pizza oven we use and love.