Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
OK, let's unpack this. Imagine you're an athlete, you
know, meticulously tracking every stride, every single beat
of your heart, really relying onyour smart sports watch for that
crucial edge. Yeah, pushing boundaries,
chasing those PBS. Exactly.
And every piece of data from that device feels, well,
essential, like a partner in your progress.
(00:21):
But what if that same device, your little personal performance
lab on your wrist, had some gaping security holes?
Holes that can expose way more than just your pays?
Maybe even, you know, undermine the trust you put in it.
That's a worrying thought. Well, today we're diving deep
into a recent and pretty significant report that raises
these exact questions. It's from a security company
(00:42):
called Sys Syss and it was detailed by the 5K Runner, the
popular site. You know, the 5K runner.com.
Yeah, a lot of athletes follow them.
For sure this report, it's really recent like Monday, June
30, 2025, and it uncovers critical vulnerabilities in a
popular sports watch the Poros Pace 3.
So our mission here is to pull out the crucial insights from
(01:06):
this deep dive into athletic data security.
So you are a listener can be really well informed about these
frankly surprising facts and what they imply.
And what's truly fascinating here is just how central these
devices have become, right? For serious athletes, every
second, every data point counts.Absolutely.
We're talking heart rate zones, recovery metrics, training
(01:28):
readiness scores. I mean, this isn't just casual
info, it's the bedrock of your training strategy.
Yeah, it dictates your next workout, your rest days.
Exactly. But this deeply researched
report from SYS, which was originally on sys.com and then,
you know, amplified for the athlete community by the 5K
runner, it brings us to a crucial point.
(01:48):
How secure is all that really valuable, sensitive data you're
generating every day? It kind of forces us to confront
the reality that, well, chasing peak performance shouldn't mean
sacrificing personal privacy. Well, the alarm bells definitely
started ringing loud and clear with this report.
The main subject, as we said, isthe Koros phase three and SIS,
the security company, they didn't just scratch the surface.
(02:08):
They did a detailed Bluetooth analysis and their findings are
pretty blunt. OK, like what?
They said they found multiple critical vulnerabilities and
rated choruses Bluetooth security as highly on the not
good scale. That's a direct quote.
Wow, OK, not good is putting it mildly for a security report,
(02:29):
right? And what makes this really
concerning, particularly for athletes, is that the findings
are especially severe for Android users.
OK, that's a big user base. Huge.
And the community outcry on Reddit was immediate, you know,
widespread. It shows is a real world impact
and genuine user concern about their fitness data and maybe
more. And if we connect this to the
(02:50):
bigger picture, the root cause SYS identified points to, well,
fundamental security omissions in the Pace Three's Bluetooth
Low Energy BLE implementation. So basic stuff missing.
Pretty much. And what's really unsettling,
according to the SYS report and the discussions picked up by the
5K runner and buzzing on Reddit,is that while Koros has
communicated with the researchers.
(03:10):
OK, so they're talking. They are talking, but some
identity certified issues remainunresolved.
And even more critically, for atleast one major vulnerability,
Chorus explicitly states it has no plan to resolve this issue.
Wait, no plan. At all.
That's what's reported. This isn't just a bug.
It kind of exposes this tension in tech companies, right?
(03:31):
The battle between getting features out fast and building
in robust foundational security.The move fast and break things
mentality but for security. Sort of, yeah.
It forces users to face this uncomfortable idea that some
brands might prioritise a Just Make It Work approach, even when
critical user data is clearly atrisk.
(03:51):
OK, so here's where it gets really interesting.
Let's dive into the technical flaws SIS found.
But, you know, keep it accessible, right?
The report highlights some really basic security omissions.
I mean, imagine leaving your front door wide open just
because you think no ones aroundanyone can walk in.
Not a great analogy for security.
Not at all, but that's a bit like what happens with the Coros
(04:11):
Ace 3 when it isn't actively connected to its paired phone.
It allows any nearby unauthenticated attacker to
connect and interact with all exposed characteristics.
All of them. All exposed characteristics,
essentially any feature or data point the watch shares without
needing to be paired or bonded. And bonded means that more
secure authenticated link. Yeah, exactly the kind of link
(04:34):
you should have. Then there's the issue of the
insecure just works pairing method.
Yeah, think of it like shaking hands with a stranger without
checking who they are. The watch incorrectly tells
other devices it has no input output capabilities.
But it has a screen and buttons.Right, it clearly does.
Devices with screens or buttons are supposed to use better
(04:55):
pairing, like showing a PIN you confirm, but the Chorus watch
forces itself into this insecurejust works method, no
authentication. It's basically an open
invitation. And on top of that it completely
lacks support for Bluetooth secure connections.
That's the much better modern method from Bluetooth 4.2.
So it's using older tech. It falls back to older, less
(05:16):
secure legacy pairing based on short term keys.
It's like using a really old, easy to crack password when much
stronger options exist. OK, this brings us to a crucial
point. What does this actually mean for
you, the user, especially an athlete out in public?
Yeah. What's the risk?
Well, the lack of mandatory pairing creates an easily
(05:38):
exploitable attack surface in common public places.
Think about it. Gyms, crowded races, public
transport, even just a coffee shop.
Places athletes are all the time.
Exactly. Places where you're constantly
surrounded by others who might be within Bluetooth range.
It means an attacker doesn't need physical access to your
watch. Just needs to be nearby.
Just needs to be within Bluetooth range when your phone
(05:59):
isn't actively connected to the watch.
This massively broadens the potential threat.
They can target your device without any prior
authentication. So this is where we see that
critical difference in security between iOS and Android, right?
The report detailed that, yeah. CIS found different behaviours.
When an iOS device sets up the Pay C3, the watch does at least
(06:20):
try to trigger a BLE pairing process.
OK, so some attempt there. Some attempt, yeah.
However, the CIS researchers found an attacker could silently
bypass or downgrade this process, so it could still lead
to unencrypted communication. So not foolproof, even on iOS.
Not foolproof, but the situationfor Android users and the 5K
(06:41):
runner really highlighted this is significantly more
concerning. The sys analysis found that when
an Android device is used, the watch completely skips the
pairing and bonding step. Just it doesn't do it.
No authentication request is sent at all.
Seriously. So the communication is just.
Open. It means the communication
between the Android app and the watch is neither encrypted nor
(07:03):
authenticated. Wide open.
Wow, and an attacker doesn't even need to be there at the
start. Nope, they don't need to be
present during initial setup. Any ongoing BLE connection can
be intercepted, sniffed, tampered with.
It makes these attacks way more practical and much harder for
the average user to even detect.And the likely reason is how the
operating systems handle things.Seems like it iOS probably has
(07:25):
stricter OS level enforcement for Bluetooth notifications,
while Android is more lenient. And get this here's a bonus
detail that really shows the problem.
Even if you try to manually pairthe watch with Android using
some third party tools, it doesn't force the official
Chorus app to use encryption. The app just keeps communicating
(07:46):
unintrypted anyway. Oh.
Come on, that's. That's bad.
It's pretty bad. OK, let's break this down
further. Let's look at some truly
alarming real world attack scenarios.
Because this isn't just about someone seeing your heart rate,
though. People care about that too.
Right, the implications seem bigger.
Much bigger. The SYS report outlines multiple
critical vulnerabilities with really wide-ranging attack
(08:09):
scenarios that can impact your privacy, your Peace of Mind,
maybe even your performance. OK, like what?
Well, one of the most alarming is account hijacking.
Your actual chorus account. Your actual chorus account.
See, every time your phone connects to the watch, sensitive
API keys, specifically somethingcalled an access token, get
transmitted in. Encrypted on Android.
Unencrypted on Android, an attacker can basically pretend
(08:31):
to be a chorus watch and just steal this key.
And once they have the. Key.
They Get full access to all yourprofile and activity data.
They can even modify your account information.
Modify it like delete runs. Or worse, this isn't just losing
pace data, it's potentially erasing or messing with your
entire athletic history. Imagine years of training logs,
(08:53):
race result, PBS all vulnerable,wiped or faked by some random
attacker. That fundamentally undermines
the whole point of using the device.
Totally. It destroyed the trust.
Then there's eavesdropping, a big privacy breach.
OK. Think about personal messages,
any notifications on your wrist,the watch shows stuff from
WhatsApp, iMessage, whatever. Yes, standard future.
(09:14):
But because of the unencrypted communication on Android, an
attacker can just sniff eavesdrop on the content of
these private notifications. Someone nearby could literally
be reading your private chats asthey pop up.
That's creepy. Very and it gets even more
disruptive device manipulated. They can change settings.
Yeah, attackers can actively mess with your watch settings.
For instance, the SYS researchers figured out the
(09:36):
message structure for the Do NotDisturb function, meaning they
could remotely turn DND on or off on your watch without you
knowing or wanting it. And that's just one example.
The report suggests other configurations are probably
possible too. Imagine someone turning off your
notifications or messing with settings during a race.
Exactly. Super disruptive.
(09:56):
And this begs the question, beyond spying, what about
outright disruption, especially for an athlete you know, in a
high stakes moment? Yeah, can they break it?
Well, the sys analysis found attackers could remotely trigger
a factory reset of the watch. No way factory reset mid race.
Imagine you're in a marathon pushing for a PB, heart
pounding, and bam, your watch resets, loses all recorded
(10:21):
activity data, forces a restart with default settings.
That's race over data gone. As the 5K runner notes, that
could absolutely be the end of asuccessful race.
Derails your effort, loses invaluable data from that key
moment. And even more directly, the
report details how specific malicious data payloads
exploiting things like a NUL pointer dare reference that's
(10:43):
CWE 476 and an out of bounds read CWE 125.
OK, technical terms, but basically ways to crash it.
Exactly. Think of them as ways to make
the watch try to access memory it shouldn't, causing it to
crash and immediately reboot even during an ongoing activity.
So again, data loss. Complete data loss for whatever
(11:05):
you were tracking. That's not just annoying, that's
your hard earned training data just gone instantly.
And as a sort of less critical but still incredibly disruptive
bonus exploit, an attacker couldeven remotely trigger your watch
to beep and blink. Make it annoying.
Make it annoying, or even trick your watch into making your
phone alert you with its Find MyDevice function.
OK, that's just messing with you, but shows the level of
(11:27):
control. It really highlights the
alarming level of unauthorised control an attacker could
potentially get over your devices.
So what does this all mean for Koros users right now?
And crucially, what's Koros saying or doing?
Yeah, the. Response is key.
Well, according to reports from the security researchers which
got shared by Reddit users, Koros has been contacted.
(11:49):
They've apparently set timelinesfor fixing some vulnerabilities,
some maybe this month, others end of year.
OK, so some fixes are planned. Some are planned, but crucially,
1 vulnerability has no plan for a fix.
Still that one outstanding issuewith no fix planned.
Exactly. That's a pretty stark reality
(12:09):
for users, especially considering how deep some of
these issues go. And the Reddit community's alarm
was, well, palpable. You could feel it.
We saw one user quote basically saying lol.
So there is no security at all when you're using an Android
phone. Captures the feeling pretty
well. It does, they went on.
Everyone in Bluetooth range can hijack your chorus account, get
(12:29):
access to all your activities and do everything with a watch
you could do from the companion app.
That really sums up the concern among athletes.
Understandable concern. Totally.
Another user even suggested Koroshould just add an option to
disable Bluetooth entirely. Like a kill switch.
Yeah, a feature that, notably, some Garmin watches already
have. It would at least give users an
immediate workaround if they're worried.
(12:51):
Right. Put control back in the user's
hands temporarily. Exactly.
And this really brings us back to that crucial point about the
bigger picture, doesn't it? How so?
As the 5K runner put it quite well, this just make it work
approach to security is deeply concerning.
It makes you wonder, doesn't it,if basic Bluetooth security was
overlooked, what about other complex features athletes rely
(13:13):
on? Things like training, readiness
or other performance metrics. Were they implemented with
thorough security consideration?It casts doubt on the overall
process. It really does.
It's about a company's fundamental commitment not just
to cool features, but to basic user data integrity and privacy.
Foundational stuff. Foundational Stuff and SIS,
(13:33):
remember, reported all these vulnerabilities through their
responsible disclosure programmeback in June, right?
But it's important to stress that when they publish their
analysis, not all vulnerabilities have been
resolved. Still outstanding issues.
Which leaves many Chorus Pace 3 users, particularly the huge
number on Android, vulnerable tosome pretty significant security
risks that are clearly laid out in these reports.
(13:55):
It's just a reminder that even advanced tech needs solid
security basics. We've really deep dived into a
fascinating and yeah concerning report today.
From exposed API keys leading topotential account takeovers
wiping out your athletic historyto the ability for someone to
crash your watch mid race. We're just reading your private
messages. Or just having your private
(14:16):
notification sniffed. It's it's a lot to consider for
you, our listener, Whether you're a course user, maybe
thinking of buying one, or just considering any sports watch
that tracks your health and activity.
This deep dive really highlightsthe absolute importance of
understanding the digital security of these devices,
devices you rely on for your health and your very personal
data. And this raises, I think, an
(14:37):
important final question. In a world where our most
personal data you know, from ourheartbeats to our training logs,
is so intertwined with our performance in daily lives, what
level of responsibility should manufacturers really bear when
core security mechanisms are overlooked like this, especially
when critical issues apparently remain unaddressed?
(14:58):
That's the core question, isn't it?
It. Is it's something for you to
Mull over as you think about your own tech habits?
What information you're entrusting to these powerful,
yet as we've seen, potentially vulnerable devices?
Because ultimately, the trust you place in your gear really
should extend to its digital defences, too.