CVE-2025-32876 Information
Jun 21, 2025
cve
Description
An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK) which in the case of the COROS Pace 3 is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks allowing eavesdropping on the communication.
Reference
https://support.coros.com/hc/en-us/articles/20087694119828-COROS-PACE-3-Release-Notes https://syss.de https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-023.txt
Related CNNVD
CNNVD-202506-2667 (Published: 2025-06-20)
Share on: