Security researchers have uncovered significant vulnerabilities in COROS sports watches, raising concerns about user data and device control. While initially reported for the latest model, COROS has confirmed that the issues affect their entire product line. The good news? COROS is now working to address these flaws much sooner than originally planned, with fixes expected in firmware updates over the next two months.
Contents
These security gaps could potentially allow unauthorized access to your watch and even your COROS account data. Understanding the risks and knowing when the fixes are coming is crucial for all COROS users.
What Did the Security Firm Discover?
A German IT security company called SySS published a report detailing eight different security bugs found in COROS watches. Think of these bugs as unguarded doors or weak locks in the watch’s software, particularly in how it communicates with your phone via Bluetooth.
These aren’t minor glitches. The identified vulnerabilities could potentially let someone do serious things to your watch and your data without your permission.
A graphic related to COROS watch security vulnerabilities, potentially from the SySS report
How Serious Are These Security Flaws?
The security firm outlined a range of potential consequences stemming from these bugs. The list is concerning for anyone who relies on their watch for tracking workouts and personal data:
- Account Hijacking: Someone could potentially take control of your COROS account and access all your stored data.
- Data Snooping: Sensitive information like notifications sent to your watch could be intercepted and read.
- Device Manipulation: An attacker could change your watch’s settings without you knowing.
- Factory Reset: Your watch could be remotely wiped, losing all your data and settings.
- Crashing the Device: The watch could be made to freeze or stop working.
- Workout Interruption: A live workout could be stopped, potentially causing recorded data to be lost.
Essentially, these bugs grant attackers a high level of access and control over your device and personal information linked to it.
Security analysis details for the COROS Pace 3 watch from SySS, listing identified vulnerabilities
Which COROS Devices Are Affected?
Initially, the report focused on the COROS Pace 3 watch. However, COROS CEO Lewis Wu has since confirmed that the issue impacts all COROS watches and their bike computer. This is because the vulnerabilities lie within the core Bluetooth communication software, which is shared across their entire product line. So, if you own any COROS device, this information applies to you.
The Timeline: What Happened and What’s Next?
The vulnerabilities were first discovered by researcher Moritz Abrell in March 2025 and reported to COROS immediately. While COROS acknowledged receipt, their initial response was that fixes wouldn’t be ready until the “end of 2025”. This lengthy timeline for critical security flaws is highly unusual in the tech world.
Security researchers typically follow a policy of public disclosure if a company doesn’t commit to fixing serious issues within about 90 days. Since the original reported timeline was so far out, the details of the vulnerabilities were made public in June 2025. This public awareness often encourages companies to prioritize fixes.
Following the public report and inquiries (including from the author of this article), COROS has revised its plan. The company’s CEO admitted that they should have prioritized these issues higher from the start.
COROS has now provided a new, significantly accelerated timeline for releasing fixes:
- End of July 2025: Fixes for issues related to Bluetooth device pairing (bugs categorized as 3.1, 3.2, 3.3, and 4.1 by the security firm).
- End of August 2025: Fixes for issues related to encrypting communication during device use (bugs categorized as 4.2, 4.3, 4.4, and 4.5). COROS notes that these require deeper architectural changes and extensive testing across all older watch models.
COROS stated that this situation is a learning experience, highlighting the need to improve their internal procedures for handling security reports.
What Should COROS Users Do Now?
Right now, the most important action is to be prepared for upcoming software updates. While waiting for the fixes, there isn’t a specific action users can take to prevent exploitation, as the vulnerability is within the core device software.
However, once the updates are released in July and August, it is crucial to install them on your COROS device immediately. These firmware updates will contain the necessary patches to close these security gaps. COROS will likely notify users when these critical updates are available.
Every software product can have bugs, but how a company responds to security issues is key. It appears COROS is now taking these vulnerabilities seriously and working to address them quickly. For users, applying the updates as soon as they drop will be vital to ensuring the security of your device and data.
