{"id":232943,"date":"2025-07-02T21:00:27","date_gmt":"2025-07-02T21:00:27","guid":{"rendered":"https:\/\/www.europesays.com\/uk\/232943\/"},"modified":"2025-07-02T21:00:27","modified_gmt":"2025-07-02T21:00:27","slug":"theres-a-major-security-issue-with-coros-fitness-trackers","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/uk\/232943\/","title":{"rendered":"There\u2019s a Major Security Issue With Coros Fitness Trackers"},"content":{"rendered":"<p>If you thought <a href=\"https:\/\/lifehacker.com\/health\/strava-privacy-issues\" target=\"_blank\" rel=\"noopener\">Strava&#8217;s privacy issues<\/a> were bad, strap in: Coros has <a href=\"https:\/\/www.dcrainmaker.com\/2025\/06\/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">confirmed<\/a> some major security issues with its watches. During an analysis of Coros Pace 3 Bluetooth security, German IT security researchers <a href=\"https:\/\/blog.syss.com\/posts\/bluetooth-analysis-coros-pace-3\/\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">identified at least eight<\/a> distinct security flaws that affect every Coros device on the market\u2014not just the <a href=\"https:\/\/lifehacker.com\/health\/coros-pace-pro-vs-coros-pace-3\" target=\"_blank\" rel=\"noopener\">Pace 3 model<\/a>, as was first believed. After an initially lackluster response, Coros has since entered damage control mode, and is promising fixes by the end of summer. <\/p>\n<p>How Bluetooth makes Coros watches vulnerable<\/p>\n<p>The vulnerabilities stem from fundamental issues in the Bluetooth connectivity code shared across all Coros watches and their bike computer, creating a security nightmare that impacts the company&#8217;s entire product lineup. <\/p>\n<p>By exploiting these security flaws, an unauthenticated attacker within Bluetooth range can perform the following actions:<\/p>\n<ul>\n<li>\n<p><strong>Hijack user accounts<\/strong> and access all stored fitness data on <a href=\"http:\/\/COROS.com\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">COROS.com<\/a><\/p>\n<\/li>\n<li>\n<p><strong>Eavesdrop on sensitive information<\/strong> including text messages and notifications<\/p>\n<\/li>\n<li>\n<p><strong>Manipulate device settings<\/strong> remotely without user knowledge<\/p>\n<\/li>\n<li>\n<p><strong>Factory reset devices<\/strong> from a distance, wiping all user data<\/p>\n<\/li>\n<li>\n<p><strong>Crash devices<\/strong> during critical moments<\/p>\n<\/li>\n<li>\n<p><strong>Interrupt active workouts<\/strong> and force the loss of recorded fitness data<\/p>\n<\/li>\n<\/ul>\n<p>If you&#8217;re interested in diving into the specific coding and architectural issues at play here, I highly recommend taking a look at <a href=\"https:\/\/blog.syss.com\/posts\/bluetooth-analysis-coros-pace-3\/\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">the original blog post outlining the problem<\/a>. Perhaps most concerning is the ability for attackers to inject false information, such as fake text notifications, while simultaneously monitoring all genuine messages and notifications sent to the watch.<\/p>\n<p>When alerted to these massive security holes, Coros initially seemed less than alarmed. The security researchers followed standard industry protocol, privately disclosing the vulnerabilities with the company and providing a 90-day window for it to provide fixes before going public. At first, the company indicated that fixes wouldn&#8217;t arrive until the end of 2025\u2014a less than urgent response. Only after the vulnerabilities were publicly disclosed on June 17th, 2025, complete with detailed reproduction steps and exploit code, did Coros begin taking the situation seriously. <\/p>\n<p>What Coros users need to do<\/p>\n<p>The company has <a href=\"https:\/\/www.dcrainmaker.com\/2025\/06\/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">now accelerated its timeline<\/a>, promising partial fixes by the end of July and complete resolution by August.<\/p>\n<p>The initial response from Coros appears to have treated these critical security flaws as routine bugs, which might be chalked up to inexperience: Though the issues are concerning, this does appear to be the company&#8217;s first major security incident,. Gadget reviewer <a href=\"https:\/\/www.dcrainmaker.com\/2025\/06\/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">DC Rainmaker<\/a>\u2014the same reporter responsible for escalating this issue to Coros in the first place\u2014posits that after this, Coros will likely have better public channels and internal processes in place for tackling future security issues. <\/p>\n<p>                What do you think so far?<\/p>\n<p>But that issue aside, what do you need to do if you own an affected device?<\/p>\n<p>In a <a href=\"https:\/\/www.reddit.com\/r\/Coros\/comments\/1lmg8he\/comment\/n0mq4m9\/?utm_source=share&amp;utm_medium=web3x&amp;utm_name=web3xcss&amp;utm_term=1&amp;utm_content=share_button\" target=\"_blank\" title=\"open in a new window\" rel=\"noopener\">Reddit comment<\/a>, Coros says if your watch is up to date, there\u2019s nothing you need to do right now. But when their next software updates are available in July and August, you should update your watch immediately to fix these vulnerabilities. Unfortunately, there are no effective workarounds to mitigate the vulnerabilities in the meantime, as they&#8217;re embedded in the  devices&#8217; Bluetooth communication protocols.<\/p>\n<p>The bottom line<\/p>\n<p>Even if you aren&#8217;t a Coros user, it&#8217;s important to remember that all fitness wearables, despite their seemingly benign nature, can become significant security liabilities. These devices often have access to highly personal information\u2014from health data and location tracking to text messages and notifications\u2014making them attractive targets for hackers. As our wearables become increasingly sophisticated and connected, it&#8217;s more important than ever to stay on top of best security practices.<\/p>\n<p>And if you are a Coros user, make sure you install any and all July and August updates as soon as they are released. <\/p>\n","protected":false},"excerpt":{"rendered":"If you thought Strava&#8217;s privacy issues were bad, strap in: Coros has confirmed some major security issues with&hellip;\n","protected":false},"author":2,"featured_media":232944,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4322],"tags":[1630,105,16,15],"class_list":{"0":"post-232943","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-fitness","8":"tag-fitness","9":"tag-health","10":"tag-uk","11":"tag-united-kingdom"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@uk\/114785657156840789","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/232943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/comments?post=232943"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/232943\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media\/232944"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media?parent=232943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/categories?post=232943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/tags?post=232943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}