COROS Watch Security Flaws Announced: Full Explainer!

German IT security researcher Moritz Abrell, has published a list of 8 different security bugs found in all COROS watches that give essentially full access to not just the users watch, but also their COROS account. This includes everything from interrupting a workout (during the workout), to resetting the device remotely, as well as accessing/downloading all your COROS.com data. The list of security issues was originally listed to be for just the COROS Pace 3 watch, however I have confirmed with COROS that it actually impacts all COROS devices, as all COROS watches (+ bike computer) utilize the same Bluetooth connectivity code between the watch and phone, where the issue lies. The company outlined the issues in their post, which consolidates it down to six core gaps (as part of 8 specific security bugs): – Hijacking the vicitim’s COROS account and accessing all data – Eavesdropping sensitive data, e.g. notifications – Manipulating the device configuration – Factory resetting the device – Crashing the device – Interrupting a running activity and forcing the recorded data to be lost The IT security firm researcher, Moritz Abrell, had initially discovered the vulnerabilities on March 10th, 2025, and notified COROS on March 14th, 2025. COROS immediately confirmed receipt of the issue on March 14th, 2025 as well. However, after that COROS went silent for another month, before finally responding back on April 15th 2025 that it would fix the issues by the end of the year. Full details: https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/