COROS, the GPS watch brand beloved by endurance athletes, is now facing a massive security crisis after a German researcher publicly disclosed eight vulnerabilities that give attackers near-total access to both the company’s watches and users’ personal accounts.
The vulnerabilities, first discovered in March by cybersecurity expert Moritz Abrell of SySS GmbH, impact all COROS watches, not just the newer Pace 3 model that Abrell initially tested.
Among the exploits: attackers could hijack a user’s COROS.com account, factory reset the device, manipulate settings, intercept messages sent to the watch via Bluetooth, and even interrupt or erase an activity in real-time, meaning a bad actor standing near you during a marathon could effectively crash your watch mid-race and wipe your workout data.
In a tech demo accompanying his report, Abrell showed that a fake “you’re fired” text message from a spoofed contact could be injected directly into a user’s watch. And since these attacks are Bluetooth-based, no physical access to the device is needed.
Anyone within wireless range could carry them out.
The vulnerabilities were publicly disclosed on June 17, after COROS failed to address them during the standard 90-day grace period that security researchers typically allow for vendors to fix bugs before going public.
And while it’s not uncommon for companies to need extra time, COROS’s initial response, saying it wouldn’t fix the bugs until the end of the year, began to raise eyebrows.
A Slow Response to Serious Problems
COROS’s delay didn’t go unnoticed by Abrell or by Ray Maker of DC Rainmaker, who broke the story in the sports tech world after being tipped off by a reader.
Maker reached out to the company directly and, within hours, received confirmation that COROS was taking another look.
A couple days later, COROS CEO Lewis Wu responded with a long and candid email admitting the company had dropped the ball.
“You’re right that we were initially notified earlier this year … but I have to admit the priority should have been higher,” Wu wrote to DC Rainmaker, acknowledging that the company initially gave a vague “end of 2025” timeline that didn’t reflect the severity of the issue.
Wu confirmed the vulnerabilities affected most COROS devices, not just the Pace 3, due to shared Bluetooth architecture across its product line.
He also outlined a two-part fix: some updates, including better authentication for device pairing, would be rolled out by the end of July. Other fixes, related to encrypted communication between watch and phone, are slated for late August, which he admitted was an “aggressive goal.”
The full list of vulnerabilities and proof-of-concept code is now publicly available, meaning anyone with the know-how could exploit them. That’s part of what makes the delay so serious: users are now exposed, and the attack instructions are out in the open.
A Moment of Reckoning for COROS
While this isn’t the first time a wearables company has faced security issues, Garmin’s 2020 ransomware attack famously took down its services for days, it’s one of the most comprehensive and serious flaws publicly disclosed in recent memory.
The fact that the attack can be carried out wirelessly, without even touching the device, makes it particularly concerning for runners, cyclists, and triathletes who rely on their watches not just for data but for peace of mind during races and training.
“There’s a before and after moment for every company when it comes to security,” Maker wrote in his report. “This might be that moment for COROS.”
COROS appears to be treating it as such.
Wu told DC Rainmaker that the company is overhauling how it handles future security disclosures and prioritizing fixes more aggressively going forward.
But it’s also clear that, until recently, the company didn’t have strong processes in place to triage and escalate security issues, especially ones that should never have landed in the same support queue as, say, a bug in the sleep tracking algorithm.
For users, there’s not much to do right now except wait and install firmware updates as soon as they’re released. COROS says the first round will arrive in July, with the second wave in August. In the meantime, those worried about being targeted could disable Bluetooth on their watches in public, but realistically, most won’t.
And that’s part of what makes this such a pivotal moment for COROS.
Its watches are staples among ultrarunners and adventure athletes precisely because they’re so reliable. Now, that trust has taken a hit, not because bugs exist (they always will), but because the company waited too long to act.
COROS says it’s learning from this. For the sake of its users, let’s hope that lesson sticks.
