For those who thought Strava’s privateness points had been dangerous, strap in: Coros has confirmed some main safety points with its watches. Throughout an evaluation of Coros Tempo 3 Bluetooth safety, German IT safety researchers recognized no less than eight distinct safety flaws that have an effect on each Coros system in the marketplace—not simply the Tempo 3 mannequin, as was first believed. After an initially lackluster response, Coros has since entered harm management mode, and is promising fixes by the tip of summer season.
How Bluetooth makes Coros watches susceptible
The vulnerabilities stem from elementary points within the Bluetooth connectivity code shared throughout all Coros watches and their bike pc, making a safety nightmare that impacts the corporate’s whole product lineup.
By exploiting these safety flaws, an unauthenticated attacker inside Bluetooth vary can carry out the next actions:
-
Hijack person accounts and entry all saved health knowledge on COROS.com
-
Listen in on delicate info together with textual content messages and notifications
-
Manipulate system settings remotely with out person information
-
Manufacturing unit reset units from a distance, wiping all person knowledge
-
Crash units throughout important moments
-
Interrupt energetic exercises and drive the lack of recorded health knowledge
For those who’re desirous about diving into the particular coding and architectural points at play right here, I extremely suggest looking at the unique weblog put up outlining the issue. Maybe most regarding is the power for attackers to inject false info, equivalent to pretend textual content notifications, whereas concurrently monitoring all real messages and notifications despatched to the watch.
When alerted to those large safety holes, Coros initially appeared lower than alarmed. The safety researchers adopted commonplace trade protocol, privately disclosing the vulnerabilities with the corporate and offering a 90-day window for it to offer fixes earlier than going public. At first, the corporate indicated that fixes would not arrive till the tip of 2025—a lower than pressing response. Solely after the vulnerabilities had been publicly disclosed on June seventeenth, 2025, full with detailed copy steps and exploit code, did Coros start taking the state of affairs severely.
What Coros customers must do
The corporate has now accelerated its timeline, promising partial fixes by the tip of July and full decision by August.
The preliminary response from Coros seems to have handled these important safety flaws as routine bugs, which is perhaps chalked as much as inexperience: Although the problems are regarding, this does seem like the corporate’s first main safety incident,. Gadget reviewer DC Rainmaker—the identical reporter answerable for escalating this subject to Coros within the first place—posits that after this, Coros will seemingly have higher public channels and inside processes in place for tackling future safety points.
What do you assume thus far?
However that subject apart, what do you could do in the event you personal an affected system?
In a Reddit remark, Coros says in case your watch is updated, there’s nothing you could do proper now. However when their subsequent software program updates can be found in July and August, it is best to replace your watch instantly to repair these vulnerabilities. Sadly, there aren’t any efficient workarounds to mitigate the vulnerabilities within the meantime, as they’re embedded within the units’ Bluetooth communication protocols.
The underside line
Even in the event you aren’t a Coros person, it is essential to do not forget that all health wearables, regardless of their seemingly benign nature, can turn into important safety liabilities. These units usually have entry to extremely private info—from well being knowledge and site monitoring to textual content messages and notifications—making them engaging targets for hackers. As our wearables turn into more and more subtle and related, it is extra essential than ever to remain on prime of greatest safety practices.
And in case you are a Coros person, be sure you set up any and all July and August updates as quickly as they’re launched.
