An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end API. However, the X.509 server certificate within the TLS handshake is not validated by the device. This allows an attacker within an active machine-in-the-middle position, using a TLS proxy and a self-signed certificate, to eavesdrop and manipulate the HTTPS communication. This could be abused, for example, for stealing the API access token of the assigned user account.
The COROS PACE 3 smartwatch establishes an HTTPS connection to the manufacturer's API server during the software update process to retrieve available firmware information. During the TLS handshake, the device does not verify the validity of the X.509 certificate presented by the server. An attacker in an active man-in-the-middle position can substitute their own TLS proxy with a self-signed certificate and thereby decrypt and modify all communication between the smartwatch and the server. This allows eavesdropping on transmitted data, including API access tokens for the associated user account.
An attacker can intercept sensitive data transmitted by the smartwatch, in particular the access token to the user's account in the manufacturer's API, and manipulate server responses, which could lead to injection of malicious firmware or other unauthorized actions.
The COROS PACE 3 device software must be updated to a version higher than 3.0808.0. Detailed information about available updates can be found in the manufacturer's official release notes: https://support.coros.com/hc/en-us/articles/20087694119828-COROS-PACE-3-Release-Notes
Yftech COROS PACE 3 devices with software version up to and including 3.0808.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HYftech Coros Pace 3
HWYftechwszystkie wersjeYftech Coros Pace 3 Firmware
OSYftech≤ 3.0808.0
Related vulnerabilities
Brak uwierzytelnienia BLE w COROS PACE 3 — atak machine-in-the-middle
COROS PACE 3 — pobieranie firmware przez niezaszyfrowane HTTP (MitM)
Out-of-bounds read w COROS PACE 3 umożliwia zdalne wymuszenie restartu urządzenia
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connec...
An issue was discovered in COROS PACE 3 through 3.0808.0. Due to a NULL pointer dereference vulnerability, sen...