Skip to main content
Deutsch Español Français Italiano (Italia) 日本語 Polski Português do Brasil Русский ไทย Tiếng Việt (Việt Nam)

Bluetooth Security Vulnerability Statement

  • Updated

Bluetooth Security Risk – What You Need to Know

We’ve identified a potential risk in how COROS devices and the COROS app connect over Bluetooth, specifically before pairing is complete.

What’s the issue?

Before your COROS device is fully paired with the COROS app, a nearby attacker (within Bluetooth range—typically 10 meters or 30 feet) could attempt to intercept the connection using a forged device. In theory, this “middle device” could access or relay parts of the Bluetooth communication. Once pairing is complete, the risk is significantly reduced—but not entirely eliminated: 
  • iOS devices benefit from built-in Bluetooth encryption, which adds a strong layer of protection. However, in extremely rare cases, there may still be vulnerabilities if the device is disconnected and targeted by a nearby attacker using advanced tools.
  • Android devices face a slightly higher risk in edge cases—such as when the watch is disconnected from the phone and an attacker with specialized equipment is within range. In these situations, it may be possible to send fake notifications, intercept messages, or trigger a reset attempt.
     

Temporary Recommendation

We believe those risks are unlikely for users in their daily life, but if you want to be sure to protect against these scenarios, here are some recommendations:
  1. If you have a new COROS device, please connect your device to the COROS app at home, or in a non-public setting.
  2. If you're using Android, simply force-quit the COROS app when not in use. This prevents notifications from being passed to the watch in rare attack scenarios.
    1. When the COROS app is killed or force-quit, your phone won't attempt to communicate with your COROS device any longer so any hacking device would not be successful.

What We’re Doing About It

  • Mid-July: Internal testing of a firmware fix that prevents this risk.
  • End of July: Full public release of the fix for the following devices:
    • PACE 3, PACE Pro
    • APEX 2, APEX 2 Pro
    • VERTIX 2, VERTIX 2S
    • DURA
  • Other devices will follow shortly after:
    • PACE 2
    • APEX 42mm, APEX 46mm, APEX Pro
    • VERTIX 1
Your security is our priority, and we’re moving quickly to resolve this while keeping your experience as smooth as possible.

Related articles