An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. With WLAN access, the COROS Pace 3 downloads firmware files via HTTP. However, the communication is not encrypted and allows sniffing and machine-in-the-middle attacks.
The COROS PACE 3 device, when connected to a WLAN network, initiates firmware file downloads via unencrypted HTTP protocol (CWE-319 — transmission of sensitive data in plaintext). An attacker present on the same network can intercept the transmission (sniffing) or conduct a machine-in-the-middle attack by substituting their own malicious firmware file in place of the original. The lack of integrity verification or authentication of the downloaded file allows untrusted software to be installed on the smartwatch.
An attacker can replace the device firmware with malicious code, gaining full control over the smartwatch, and intercept data transmitted during the update. The consequence may be permanent compromise of the device and violation of user data confidentiality and integrity.
Patches available from the manufacturer should be applied according to the references (COROS PACE 3 Release Notes). As a temporary measure, it is recommended to avoid connecting the device to untrusted WLAN networks and to implement network segmentation to limit the possibility of a MitM attack.
COROS PACE 3 devices with firmware version 3.0808.0 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HYftech Coros Pace 3
HWYftechwszystkie wersjeYftech Coros Pace 3 Firmware
OSYftech≤ 3.0808.0
Related vulnerabilities
Brak uwierzytelnienia BLE w COROS PACE 3 — atak machine-in-the-middle
Brak walidacji certyfikatu TLS w COROS PACE 3 — atak MITM
Out-of-bounds read w COROS PACE 3 umożliwia zdalne wymuszenie restartu urządzenia
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connec...
An issue was discovered in COROS PACE 3 through 3.0808.0. Due to a NULL pointer dereference vulnerability, sen...