COROS, the GPS watch brand beloved by endurance athletes, is now facing a massive security crisis after a German researcher publicly disclosed eight vulnerabilities that give attackers near-total access to both the companyโs watches and usersโ personal accounts.
The vulnerabilities, first discovered in March by cybersecurity expert Moritz Abrell of SySS GmbH, impact all COROS watches, not just the newer Pace 3 model that Abrell initially tested.
Among the exploits: attackers could hijack a userโs COROS.com account, factory reset the device, manipulate settings, intercept messages sent to the watch via Bluetooth, and even interrupt or erase an activity in real-time, meaning a bad actor standing near you during a marathon could effectively crash your watch mid-race and wipe your workout data.
In a tech demo accompanying his report, Abrell showed that a fake โyouโre firedโ text message from a spoofed contact could be injected directly into a userโs watch. And since these attacks are Bluetooth-based, no physical access to the device is needed.
Anyone within wireless range could carry them out.
The vulnerabilities were publicly disclosed on June 17, after COROS failed to address them during the standard 90-day grace period that security researchers typically allow for vendors to fix bugs before going public.
And while itโs not uncommon for companies to need extra time, COROSโs initial response, saying it wouldnโt fix the bugs until the end of the year, began to raise eyebrows.
A Slow Response to Serious Problems
COROSโs delay didnโt go unnoticed by Abrell or by Ray Maker of DC Rainmaker, who broke the story in the sports tech world after being tipped off by a reader.
Maker reached out to the company directly and, within hours, received confirmation that COROS was taking another look.
A couple days later, COROS CEO Lewis Wu responded with a long and candid email admitting the company had dropped the ball.
โYouโre right that we were initially notified earlier this year … but I have to admit the priority should have been higher,โ Wu wrote to DC Rainmaker, acknowledging that the company initially gave a vague โend of 2025โ timeline that didnโt reflect the severity of the issue.
Wu confirmed the vulnerabilities affected most COROS devices, not just the Pace 3, due to shared Bluetooth architecture across its product line.
He also outlined a two-part fix: some updates, including better authentication for device pairing, would be rolled out by the end of July. Other fixes, related to encrypted communication between watch and phone, are slated for late August, which he admitted was an โaggressive goal.โ
The full list of vulnerabilities and proof-of-concept code is now publicly available, meaning anyone with the know-how could exploit them. Thatโs part of what makes the delay so serious: users are now exposed, and the attack instructions are out in the open.
A Moment of Reckoning for COROS
While this isnโt the first time a wearables company has faced security issues, Garminโs 2020 ransomware attack famously took down its services for days, itโs one of the most comprehensive and serious flaws publicly disclosed in recent memory.
The fact that the attack can be carried out wirelessly, without even touching the device, makes it particularly concerning for runners, cyclists, and triathletes who rely on their watches not just for data but for peace of mind during races and training.
โThereโs a before and after moment for every company when it comes to security,โ Maker wrote in his report. โThis might be that moment for COROS.โ
COROS appears to be treating it as such.
Wu told DC Rainmaker that the company is overhauling how it handles future security disclosures and prioritizing fixes more aggressively going forward.
But itโs also clear that, until recently, the company didnโt have strong processes in place to triage and escalate security issues, especially ones that should never have landed in the same support queue as, say, a bug in the sleep tracking algorithm.
For users, thereโs not much to do right now except wait and install firmware updates as soon as theyโre released. COROS says the first round will arrive in July, with the second wave in August. In the meantime, those worried about being targeted could disable Bluetooth on their watches in public, but realistically, most wonโt.
And thatโs part of what makes this such a pivotal moment for COROS.
Its watches are staples among ultrarunners and adventure athletes precisely because theyโre so reliable. Now, that trust has taken a hit, not because bugs exist (they always will), but because the company waited too long to act.
COROS says itโs learning from this. For the sake of its users, letโs hope that lesson sticks.
