All Episodes

June 30, 2025 15 mins

EP30 - Coros Hacking Vulnerabilities A Deep Dive chat.wav (ft. AI Insights)


Resources & Links:


  • Mark as Played
    Transcript

    Episode Transcript

    Available transcripts are automatically generated. Complete accuracy is not guaranteed.
    (00:00):
    OK, let's unpack this. Imagine you're an athlete, you
    know, meticulously tracking every stride, every single beat
    of your heart, really relying onyour smart sports watch for that
    crucial edge. Yeah, pushing boundaries,
    chasing those PBS. Exactly.
    And every piece of data from that device feels, well,
    essential, like a partner in your progress.

    (00:21):
    But what if that same device, your little personal performance
    lab on your wrist, had some gaping security holes?
    Holes that can expose way more than just your pays?
    Maybe even, you know, undermine the trust you put in it.
    That's a worrying thought. Well, today we're diving deep
    into a recent and pretty significant report that raises
    these exact questions. It's from a security company

    (00:42):
    called Sys Syss and it was detailed by the 5K Runner, the
    popular site. You know, the 5K runner.com.
    Yeah, a lot of athletes follow them.
    For sure this report, it's really recent like Monday, June
    30, 2025, and it uncovers critical vulnerabilities in a
    popular sports watch the Poros Pace 3.
    So our mission here is to pull out the crucial insights from

    (01:06):
    this deep dive into athletic data security.
    So you are a listener can be really well informed about these
    frankly surprising facts and what they imply.
    And what's truly fascinating here is just how central these
    devices have become, right? For serious athletes, every
    second, every data point counts.Absolutely.
    We're talking heart rate zones, recovery metrics, training

    (01:28):
    readiness scores. I mean, this isn't just casual
    info, it's the bedrock of your training strategy.
    Yeah, it dictates your next workout, your rest days.
    Exactly. But this deeply researched
    report from SYS, which was originally on sys.com and then,
    you know, amplified for the athlete community by the 5K
    runner, it brings us to a crucial point.

    (01:48):
    How secure is all that really valuable, sensitive data you're
    generating every day? It kind of forces us to confront
    the reality that, well, chasing peak performance shouldn't mean
    sacrificing personal privacy. Well, the alarm bells definitely
    started ringing loud and clear with this report.
    The main subject, as we said, isthe Koros phase three and SIS,
    the security company, they didn't just scratch the surface.

    (02:08):
    They did a detailed Bluetooth analysis and their findings are
    pretty blunt. OK, like what?
    They said they found multiple critical vulnerabilities and
    rated choruses Bluetooth security as highly on the not
    good scale. That's a direct quote.
    Wow, OK, not good is putting it mildly for a security report,

    (02:29):
    right? And what makes this really
    concerning, particularly for athletes, is that the findings
    are especially severe for Android users.
    OK, that's a big user base. Huge.
    And the community outcry on Reddit was immediate, you know,
    widespread. It shows is a real world impact
    and genuine user concern about their fitness data and maybe
    more. And if we connect this to the

    (02:50):
    bigger picture, the root cause SYS identified points to, well,
    fundamental security omissions in the Pace Three's Bluetooth
    Low Energy BLE implementation. So basic stuff missing.
    Pretty much. And what's really unsettling,
    according to the SYS report and the discussions picked up by the
    5K runner and buzzing on Reddit,is that while Koros has
    communicated with the researchers.

    (03:10):
    OK, so they're talking. They are talking, but some
    identity certified issues remainunresolved.
    And even more critically, for atleast one major vulnerability,
    Chorus explicitly states it has no plan to resolve this issue.
    Wait, no plan. At all.
    That's what's reported. This isn't just a bug.
    It kind of exposes this tension in tech companies, right?

    (03:31):
    The battle between getting features out fast and building
    in robust foundational security.The move fast and break things
    mentality but for security. Sort of, yeah.
    It forces users to face this uncomfortable idea that some
    brands might prioritise a Just Make It Work approach, even when
    critical user data is clearly atrisk.

    (03:51):
    OK, so here's where it gets really interesting.
    Let's dive into the technical flaws SIS found.
    But, you know, keep it accessible, right?
    The report highlights some really basic security omissions.
    I mean, imagine leaving your front door wide open just
    because you think no ones aroundanyone can walk in.
    Not a great analogy for security.
    Not at all, but that's a bit like what happens with the Coros

    (04:11):
    Ace 3 when it isn't actively connected to its paired phone.
    It allows any nearby unauthenticated attacker to
    connect and interact with all exposed characteristics.
    All of them. All exposed characteristics,
    essentially any feature or data point the watch shares without
    needing to be paired or bonded. And bonded means that more
    secure authenticated link. Yeah, exactly the kind of link

    (04:34):
    you should have. Then there's the issue of the
    insecure just works pairing method.
    Yeah, think of it like shaking hands with a stranger without
    checking who they are. The watch incorrectly tells
    other devices it has no input output capabilities.
    But it has a screen and buttons.Right, it clearly does.
    Devices with screens or buttons are supposed to use better

    (04:55):
    pairing, like showing a PIN you confirm, but the Chorus watch
    forces itself into this insecurejust works method, no
    authentication. It's basically an open
    invitation. And on top of that it completely
    lacks support for Bluetooth secure connections.
    That's the much better modern method from Bluetooth 4.2.
    So it's using older tech. It falls back to older, less

    (05:16):
    secure legacy pairing based on short term keys.
    It's like using a really old, easy to crack password when much
    stronger options exist. OK, this brings us to a crucial
    point. What does this actually mean for
    you, the user, especially an athlete out in public?
    Yeah. What's the risk?
    Well, the lack of mandatory pairing creates an easily

    (05:38):
    exploitable attack surface in common public places.
    Think about it. Gyms, crowded races, public
    transport, even just a coffee shop.
    Places athletes are all the time.
    Exactly. Places where you're constantly
    surrounded by others who might be within Bluetooth range.
    It means an attacker doesn't need physical access to your
    watch. Just needs to be nearby.
    Just needs to be within Bluetooth range when your phone

    (05:59):
    isn't actively connected to the watch.
    This massively broadens the potential threat.
    They can target your device without any prior
    authentication. So this is where we see that
    critical difference in security between iOS and Android, right?
    The report detailed that, yeah. CIS found different behaviours.
    When an iOS device sets up the Pay C3, the watch does at least

    (06:20):
    try to trigger a BLE pairing process.
    OK, so some attempt there. Some attempt, yeah.
    However, the CIS researchers found an attacker could silently
    bypass or downgrade this process, so it could still lead
    to unencrypted communication. So not foolproof, even on iOS.
    Not foolproof, but the situationfor Android users and the 5K

    (06:41):
    runner really highlighted this is significantly more
    concerning. The sys analysis found that when
    an Android device is used, the watch completely skips the
    pairing and bonding step. Just it doesn't do it.
    No authentication request is sent at all.
    Seriously. So the communication is just.
    Open. It means the communication
    between the Android app and the watch is neither encrypted nor

    (07:03):
    authenticated. Wide open.
    Wow, and an attacker doesn't even need to be there at the
    start. Nope, they don't need to be
    present during initial setup. Any ongoing BLE connection can
    be intercepted, sniffed, tampered with.
    It makes these attacks way more practical and much harder for
    the average user to even detect.And the likely reason is how the
    operating systems handle things.Seems like it iOS probably has

    (07:25):
    stricter OS level enforcement for Bluetooth notifications,
    while Android is more lenient. And get this here's a bonus
    detail that really shows the problem.
    Even if you try to manually pairthe watch with Android using
    some third party tools, it doesn't force the official
    Chorus app to use encryption. The app just keeps communicating

    (07:46):
    unintrypted anyway. Oh.
    Come on, that's. That's bad.
    It's pretty bad. OK, let's break this down
    further. Let's look at some truly
    alarming real world attack scenarios.
    Because this isn't just about someone seeing your heart rate,
    though. People care about that too.
    Right, the implications seem bigger.
    Much bigger. The SYS report outlines multiple
    critical vulnerabilities with really wide-ranging attack

    (08:09):
    scenarios that can impact your privacy, your Peace of Mind,
    maybe even your performance. OK, like what?
    Well, one of the most alarming is account hijacking.
    Your actual chorus account. Your actual chorus account.
    See, every time your phone connects to the watch, sensitive
    API keys, specifically somethingcalled an access token, get
    transmitted in. Encrypted on Android.
    Unencrypted on Android, an attacker can basically pretend

    (08:31):
    to be a chorus watch and just steal this key.
    And once they have the. Key.
    They Get full access to all yourprofile and activity data.
    They can even modify your account information.
    Modify it like delete runs. Or worse, this isn't just losing
    pace data, it's potentially erasing or messing with your
    entire athletic history. Imagine years of training logs,

    (08:53):
    race result, PBS all vulnerable,wiped or faked by some random
    attacker. That fundamentally undermines
    the whole point of using the device.
    Totally. It destroyed the trust.
    Then there's eavesdropping, a big privacy breach.
    OK. Think about personal messages,
    any notifications on your wrist,the watch shows stuff from
    WhatsApp, iMessage, whatever. Yes, standard future.

    (09:14):
    But because of the unencrypted communication on Android, an
    attacker can just sniff eavesdrop on the content of
    these private notifications. Someone nearby could literally
    be reading your private chats asthey pop up.
    That's creepy. Very and it gets even more
    disruptive device manipulated. They can change settings.
    Yeah, attackers can actively mess with your watch settings.
    For instance, the SYS researchers figured out the

    (09:36):
    message structure for the Do NotDisturb function, meaning they
    could remotely turn DND on or off on your watch without you
    knowing or wanting it. And that's just one example.
    The report suggests other configurations are probably
    possible too. Imagine someone turning off your
    notifications or messing with settings during a race.
    Exactly. Super disruptive.

    (09:56):
    And this begs the question, beyond spying, what about
    outright disruption, especially for an athlete you know, in a
    high stakes moment? Yeah, can they break it?
    Well, the sys analysis found attackers could remotely trigger
    a factory reset of the watch. No way factory reset mid race.
    Imagine you're in a marathon pushing for a PB, heart
    pounding, and bam, your watch resets, loses all recorded

    (10:21):
    activity data, forces a restart with default settings.
    That's race over data gone. As the 5K runner notes, that
    could absolutely be the end of asuccessful race.
    Derails your effort, loses invaluable data from that key
    moment. And even more directly, the
    report details how specific malicious data payloads
    exploiting things like a NUL pointer dare reference that's

    (10:43):
    CWE 476 and an out of bounds read CWE 125.
    OK, technical terms, but basically ways to crash it.
    Exactly. Think of them as ways to make
    the watch try to access memory it shouldn't, causing it to
    crash and immediately reboot even during an ongoing activity.
    So again, data loss. Complete data loss for whatever

    (11:05):
    you were tracking. That's not just annoying, that's
    your hard earned training data just gone instantly.
    And as a sort of less critical but still incredibly disruptive
    bonus exploit, an attacker couldeven remotely trigger your watch
    to beep and blink. Make it annoying.
    Make it annoying, or even trick your watch into making your
    phone alert you with its Find MyDevice function.
    OK, that's just messing with you, but shows the level of

    (11:27):
    control. It really highlights the
    alarming level of unauthorised control an attacker could
    potentially get over your devices.
    So what does this all mean for Koros users right now?
    And crucially, what's Koros saying or doing?
    Yeah, the. Response is key.
    Well, according to reports from the security researchers which
    got shared by Reddit users, Koros has been contacted.

    (11:49):
    They've apparently set timelinesfor fixing some vulnerabilities,
    some maybe this month, others end of year.
    OK, so some fixes are planned. Some are planned, but crucially,
    1 vulnerability has no plan for a fix.
    Still that one outstanding issuewith no fix planned.
    Exactly. That's a pretty stark reality

    (12:09):
    for users, especially considering how deep some of
    these issues go. And the Reddit community's alarm
    was, well, palpable. You could feel it.
    We saw one user quote basically saying lol.
    So there is no security at all when you're using an Android
    phone. Captures the feeling pretty
    well. It does, they went on.
    Everyone in Bluetooth range can hijack your chorus account, get

    (12:29):
    access to all your activities and do everything with a watch
    you could do from the companion app.
    That really sums up the concern among athletes.
    Understandable concern. Totally.
    Another user even suggested Koroshould just add an option to
    disable Bluetooth entirely. Like a kill switch.
    Yeah, a feature that, notably, some Garmin watches already
    have. It would at least give users an
    immediate workaround if they're worried.

    (12:51):
    Right. Put control back in the user's
    hands temporarily. Exactly.
    And this really brings us back to that crucial point about the
    bigger picture, doesn't it? How so?
    As the 5K runner put it quite well, this just make it work
    approach to security is deeply concerning.
    It makes you wonder, doesn't it,if basic Bluetooth security was
    overlooked, what about other complex features athletes rely

    (13:13):
    on? Things like training, readiness
    or other performance metrics. Were they implemented with
    thorough security consideration?It casts doubt on the overall
    process. It really does.
    It's about a company's fundamental commitment not just
    to cool features, but to basic user data integrity and privacy.
    Foundational stuff. Foundational Stuff and SIS,

    (13:33):
    remember, reported all these vulnerabilities through their
    responsible disclosure programmeback in June, right?
    But it's important to stress that when they publish their
    analysis, not all vulnerabilities have been
    resolved. Still outstanding issues.
    Which leaves many Chorus Pace 3 users, particularly the huge
    number on Android, vulnerable tosome pretty significant security
    risks that are clearly laid out in these reports.

    (13:55):
    It's just a reminder that even advanced tech needs solid
    security basics. We've really deep dived into a
    fascinating and yeah concerning report today.
    From exposed API keys leading topotential account takeovers
    wiping out your athletic historyto the ability for someone to
    crash your watch mid race. We're just reading your private
    messages. Or just having your private

    (14:16):
    notification sniffed. It's it's a lot to consider for
    you, our listener, Whether you're a course user, maybe
    thinking of buying one, or just considering any sports watch
    that tracks your health and activity.
    This deep dive really highlightsthe absolute importance of
    understanding the digital security of these devices,
    devices you rely on for your health and your very personal
    data. And this raises, I think, an

    (14:37):
    important final question. In a world where our most
    personal data you know, from ourheartbeats to our training logs,
    is so intertwined with our performance in daily lives, what
    level of responsibility should manufacturers really bear when
    core security mechanisms are overlooked like this, especially
    when critical issues apparently remain unaddressed?

    (14:58):
    That's the core question, isn't it?
    It. Is it's something for you to
    Mull over as you think about your own tech habits?
    What information you're entrusting to these powerful,
    yet as we've seen, potentially vulnerable devices?
    Because ultimately, the trust you place in your gear really
    should extend to its digital defences, too.
    Advertise With Us

    Popular Podcasts

    Crime Junkie

    Crime Junkie

    Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.

    24/7 News: The Latest

    24/7 News: The Latest

    The latest news in 4 minutes updated every hour, every day.

    Stuff You Should Know

    Stuff You Should Know

    If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.

    Music, radio and podcasts, all free. Listen online or download the iHeart App.

    Connect

    © 2025 iHeartMedia, Inc.