Articles in this section

Bluetooth Security Vulnerability Statement

Joey T.
Updated

Bluetooth Security Risk – What You Need to Know

A potential risk was identified in how COROS devices and the COROS app connect over Bluetooth, specifically before pairing is complete. This issue is now resolved. Update your COROS device to the latest firmware to apply the security improvements.

Full details of the security vulnerability report from SySS Tech Blog are here.

What’s the issue?

Before your COROS device is fully paired with the COROS app, a nearby attacker (within Bluetooth range—typically 10 meters or 30 feet) could attempt to intercept the connection using a forged device. In theory, this “middle device” could access or relay parts of the Bluetooth communication. Once pairing is complete, the risk is significantly reduced—but not entirely eliminated: 

  • iOS devices benefit from built-in Bluetooth encryption, which adds a strong layer of protection. However, in extremely rare cases, there may still be vulnerabilities if the device is disconnected and targeted by a nearby attacker using advanced tools.
  • Android devices face a slightly higher risk in edge cases—such as when the watch is disconnected from the phone and an attacker with specialized equipment is within range. In these situations, it may be possible to send fake notifications, intercept messages, or trigger a reset attempt.

Updates

July 17 Update ✅ 

Products:
COROS NOMAD, PACE 3, PACE Pro, COROS NOMAD, APEX 2, APEX 2 Pro, APEX 4, VERTIX 2, VERTIX 2S, DURA

Security Fixes:

  • CVE-2025-32875

  • CVE-2025-32876

  • CVE-2025-32877

Description:

  • Strengthens Bluetooth connection security on Android devices

July 28 Update ✅ 

Products:
COROS NOMAD, PACE 3, PACE Pro, COROS NOMAD, APEX 2, APEX 2 Pro, APEX 4, VERTIX 2, VERTIX 2S, DURA

Security Fixes:

  • CVE-2025-48705

  • CVE-2025-48706

  • CVE-2025-32878

  • CVE-2025-32879

  • CVE-2025-32880

Description:

  • Adds digital signature verification for control commands

  • Prevents unauthorized apps or devices from sending control commands to your watch

August 20 Update ✅ 

Products:
PACE 2, APEX Pro, VERTIX, Decathlon GPS 500, Decathlon GPS 900

Security Fixes:

  • CVE-2025-32875

  • CVE-2025-32876

  • CVE-2025-32877

  • CVE-2025-32879

Description:

  • Enhanced Bluetooth link protection for Android

  • Adds signature verification for control commands

Mid-September Update ✅

Products:
APEX 42mm, APEX 46mm

Security Fixes:

  • CVE-2025-48705

  • CVE-2025-48706

  • CVE-2025-32878

  • CVE-2025-32879

  • CVE-2025-32880

Description:

  • Enhanced Bluetooth security for Android

  • Adds signature verification to prevent unauthorized Bluetooth control commands

Temporary Recommendation

We believe those risks are unlikely for users in their daily life, but if you want to be sure to protect against these scenarios, here are some recommendations:

  1. If you have a new COROS device, please connect your device to the COROS app at home, or in a non-public setting.
  2. If you're using Android, simply force-quit the COROS app when not in use. This prevents notifications from being passed to the watch in rare attack scenarios.
    1. When the COROS app is killed or force-quit, your phone won't attempt to communicate with your COROS device any longer so any hacking device would not be successful.

What We’re Doing About It

As of September 2025, the issue is now resolved. Update your COROS device to the latest firmware to apply the security improvements.
  • Mid-July: Internal testing of a firmware fix that prevents this risk.
  • End of July: Full public release of the fix for the following devices:
    • PACE 3, PACE Pro
    • APEX 2, APEX 2 Pro
    • VERTIX 2, VERTIX 2S
    • DURA
  • Other devices will follow shortly after:
    • PACE 2
    • APEX 42mm, APEX 46mm, APEX Pro
    • VERTIX 1

Your security is our priority, and we’re moving quickly to resolve this while keeping your experience as smooth as possible.

 

Full List of CVE Details:

CVE-2025-32875

Issue: Insufficient authentication during Bluetooth binding (pairing) could allow unauthorized devices to initiate a connection during initial setup.

CVE-2025-32876

Issue: Weakness in the encryption process used during Bluetooth handshakes under certain Android environments.

CVE-2025-32877

Issue: In specific scenarios, a nearby device could interfere with Bluetooth communications if signature checks were bypassed.

CVE-2025-32878

Issue: Potential for unverified control commands to be sent from unauthorized apps or devices.

CVE-2025-32879

Issue: Certain control interfaces exposed via Bluetooth could be accessed without proper session validation.

CVE-2025-32880

Issue: A vulnerability during firmware transmission over Bluetooth that could potentially allow manipulation of the device.

CVE-2025-48705 & CVE-2025-48706

Issue: Potential for control commands sent over Bluetooth to bypass authentication checks on certain Android versions.

Additional Information

CVE-2025-32878, CVE-2025-32880 

PACE 2, APEX Pro, VERTIX, Decathlon GPS500, Decathlon GPS900, APEX 42mm, APEX 46mm do not have Wi-Fi capability and do not require processing.
 
Was this article helpful?
50 out of 65 found this helpful