CVE-2025-32876 in PACE 3info

Summary

by MITRE • 06/20/2025

An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability identified in COROS PACE 3 devices represents a critical security flaw in the Bluetooth Low Energy implementation that directly impacts device confidentiality and integrity. This issue affects firmware versions through 3.0808.0 and stems from the device's reliance on outdated BLE Legacy Pairing mechanisms rather than the modern LE Secure Connections standard. The implementation violates fundamental Bluetooth security protocols by failing to establish proper cryptographic safeguards during the pairing process. According to the Bluetooth Core Specification, Legacy Pairing is inherently weak and susceptible to various attack vectors that modern secure connections mitigate through robust cryptographic algorithms and key derivation methods.

The technical flaw manifests through the specific use of the Just Works pairing method, where the Temporary Key (TK) is hardcoded to a value of zero, creating a predictable and easily exploitable cryptographic weakness. This configuration allows attackers to perform passive sniffing operations and subsequently calculate the Short-Term Key (STK) through brute force techniques, as the TK value eliminates the entropy required for secure key generation. The vulnerability directly maps to CWE-310, which addresses cryptographic weaknesses, specifically focusing on the use of weak or predictable cryptographic keys. The implementation fails to meet the security requirements outlined in NIST SP 800-171 and other cryptographic standards that mandate the use of secure key exchange mechanisms.

Operationally, this vulnerability enables attackers within Bluetooth range to perform eavesdropping attacks and potentially intercept sensitive communications between the smartwatch and connected devices. The attack surface includes any data transmitted over the BLE channel, which may contain personal health information, location data, and other sensitive user attributes. This weakness creates opportunities for man-in-the-middle attacks, session hijacking, and data exfiltration that could compromise user privacy and security. The threat model aligns with ATT&CK technique T1567.002, which covers "Exfiltration Over Bluetooth," and T1046, which addresses "Network Service Scanning' as attackers can discover and target vulnerable devices within their proximity. The vulnerability's impact extends beyond simple data interception to potentially enable unauthorized device control or manipulation of health monitoring data.

Mitigation strategies should prioritize immediate firmware updates from COROS to implement LE Secure Connections and proper key exchange mechanisms. Users should disable BLE when not actively using the device and implement additional network segmentation to limit potential attack vectors. The device should be configured to require explicit user confirmation for pairing operations and avoid automatic connections to previously paired devices. Organizations deploying these devices should conduct security assessments to identify potential attack surfaces and implement monitoring solutions to detect anomalous BLE traffic patterns. The fix should address the root cause by implementing proper cryptographic key derivation using the Bluetooth Secure Connections protocol, ensuring that temporary keys are generated using cryptographically secure random number generators and that pairing methods comply with the Bluetooth 5.0+ security requirements. This vulnerability demonstrates the critical importance of implementing modern cryptographic standards in IoT devices and highlights the risks associated with legacy security implementations in consumer electronics.

Responsible

MITRE

Reservation

04/11/2025

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00336

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!