If you thought Strava’s privacy issues were bad, strap in: Coros has confirmed some major security issues with its watches. During an analysis of Coros Pace 3 Bluetooth security, German IT security researchers identified at least eight distinct security flaws that affect every Coros device on the market—not just the Pace 3 model, as was first believed. After an initially lackluster response, Coros has since entered damage control mode, and is promising fixes by the end of summer.
How Bluetooth makes Coros watches vulnerable
The vulnerabilities stem from fundamental issues in the Bluetooth connectivity code shared across all Coros watches and their bike computer, creating a security nightmare that impacts the company’s entire product lineup.
By exploiting these security flaws, an unauthenticated attacker within Bluetooth range can perform the following actions:
-
Hijack user accounts and access all stored fitness data on COROS.com
-
Eavesdrop on sensitive information including text messages and notifications
-
Manipulate device settings remotely without user knowledge
-
Factory reset devices from a distance, wiping all user data
-
Crash devices during critical moments
-
Interrupt active workouts and force the loss of recorded fitness data
If you’re interested in diving into the specific coding and architectural issues at play here, I highly recommend taking a look at the original blog post outlining the problem. Perhaps most concerning is the ability for attackers to inject false information, such as fake text notifications, while simultaneously monitoring all genuine messages and notifications sent to the watch.
When alerted to these massive security holes, Coros initially seemed less than alarmed. The security researchers followed standard industry protocol, privately disclosing the vulnerabilities with the company and providing a 90-day window for it to provide fixes before going public. At first, the company indicated that fixes wouldn’t arrive until the end of 2025—a less than urgent response. Only after the vulnerabilities were publicly disclosed on June 17th, 2025, complete with detailed reproduction steps and exploit code, did Coros begin taking the situation seriously.
What Coros users need to do
The company has now accelerated its timeline, promising partial fixes by the end of July and complete resolution by August.
The initial response from Coros appears to have treated these critical security flaws as routine bugs, which might be chalked up to inexperience: Though the issues are concerning, this does appear to be the company’s first major security incident,. Gadget reviewer DC Rainmaker—the same reporter responsible for escalating this issue to Coros in the first place—posits that after this, Coros will likely have better public channels and internal processes in place for tackling future security issues.
The bottom line
Even if you aren’t a Coros user, it’s important to remember that all fitness wearables, despite their seemingly benign nature, can become significant security liabilities. These devices often have access to highly personal information—from health data and location tracking to text messages and notifications—making them attractive targets for hackers. As our wearables become increasingly sophisticated and connected, it’s more important than ever to stay on top of best security practices.
And if you are a Coros user, make sure you install any and all July and August updates as soon as they are released.
The Daily
Ready to do everything better?
Jordan Calhoun
Get daily tips, tricks, and tech guides from Jordan and the team.
The Daily
Ready to do everything better? Get daily tips, tricks, and tech guides from Jordan and the team.
