CVE-2025-32877 in PACE 3info

Summary

by MITRE • 06/20/2025

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It identifies itself as a device without input or output capabilities, which results in the use of the Just Works pairing method. This method does not implement any authentication, which therefore allows machine-in-the-middle attacks. Furthermore, this lack of authentication allows attackers to interact with the device via BLE without requiring prior authorization.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/25/2025

The vulnerability identified in COROS PACE 3 devices represents a critical security flaw in the Bluetooth low energy implementation that undermines fundamental wireless communication security principles. This issue affects firmware versions through 3.0808.0 and stems from the device's improper identification mechanism that declares itself as having no input or output capabilities. The device's self-assessment leads to the automatic selection of the Just Works pairing method, a Bluetooth security profile that explicitly omits any form of authentication verification or cryptographic protection. This designation creates a significant attack surface that directly violates established security protocols and industry standards.

The technical implementation flaw manifests through the device's failure to properly evaluate its own capabilities and subsequently select appropriate security measures. When a Bluetooth device identifies itself as having no input or output capabilities, the Bluetooth specification mandates the use of the Just Works pairing method, which relies solely on the exchange of a single shared secret without any verification of the communicating parties. This approach fundamentally lacks the cryptographic strength required to prevent man-in-the-middle attacks, as demonstrated by the Bluetooth specification's own documentation regarding pairing security levels. The vulnerability directly correlates to CWE-310, which addresses cryptographic weaknesses and the absence of proper authentication mechanisms in security protocols.

The operational impact of this vulnerability extends far beyond simple privacy concerns, as it creates an environment where unauthorized parties can establish legitimate communication channels with the device without any form of authorization or authentication. Attackers can exploit this weakness to perform machine-in-the-middle attacks by intercepting and modifying communications between legitimate users and the device. This capability allows for complete control over device functions, including potential data manipulation, unauthorized access to personal health information, and the ability to disrupt device operations. The vulnerability creates a persistent security risk that remains active as long as the device operates in its vulnerable firmware state, making it particularly dangerous for wearable devices that handle sensitive personal data.

From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1566, which involves phishing and social engineering through physical access or network manipulation. The lack of authentication makes it trivial for attackers to establish communication channels with the device, enabling them to perform various malicious activities including data exfiltration, device control, and potential denial of service conditions. The vulnerability also presents opportunities for attackers to conduct reconnaissance activities, gathering information about device configuration and user patterns without detection. Mitigation strategies should focus on firmware updates that properly implement device capability identification and enforce stronger pairing methods, while also implementing network segmentation and monitoring to detect unauthorized device access attempts.

The security implications of this vulnerability highlight the critical importance of proper security implementation in IoT and wearable devices, where users often trust devices with sensitive personal information. The device's failure to implement adequate authentication mechanisms represents a fundamental flaw in security by design principles, as it does not properly consider the security implications of its own self-identification process. This vulnerability demonstrates how seemingly minor implementation details in security protocols can create significant risks when they fail to adhere to established security standards and best practices. The remediation requires not only firmware updates but also comprehensive security testing to ensure that device capability identification properly implements appropriate security measures for different operational contexts.

Responsible

MITRE

Reservation

04/11/2025

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00623

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!