Serious Security Issue Found in Coros Fitness Trackers
If you thought Strava’s privacy issues were serious, buckle up: Coros has confirmed that its watch has serious security issues. In a security analysis of the Coros Pace 3 Bluetooth, German IT security researchers have identified at least eight separate security vulnerabilities that affect all Coros devices on the market, not just the Pace 3 model as initially suspected. After an initially lukewarm response, Coros has gone into damage control mode and is promising fixes by the end of the summer.
How Bluetooth Makes Coros Watches Vulnerable
The vulnerabilities arise from fundamental problems in the Bluetooth connectivity code common to all Coros watches and their bike computer, creating a security risk that impacts the company’s entire product line.
By exploiting these security vulnerabilities, an unauthorized attacker within Bluetooth range can perform the following actions:
-
Hack user accounts and access all saved fitness data on COROS.com
-
Listening to sensitive information, including text messages and notifications
-
Remote control of device settings without the user’s knowledge
-
Resetting devices to factory settings remotely, erasing all user data
-
Emergency devices in critical moments
-
Interruption of active training and forced loss of recorded fitness data
If you’re interested in digging deeper into the specific coding and architecture issues at play here, I highly recommend checking out the original blog post describing the issue . Perhaps most concerning is the ability for attackers to inject false information, such as fake text notifications, while simultaneously monitoring all legitimate messages and notifications sent to the watch.
When Coros learned of these massive vulnerabilities, it didn’t seem alarmed at first. Security researchers followed standard industry protocol, disclosing the vulnerabilities to the company confidentially and giving it a 90-day window to provide patches before going public. The company initially indicated that patches wouldn’t arrive until late 2025 — not a particularly urgent response. It wasn’t until the vulnerabilities were publicly disclosed on June 17, 2025, with detailed reproduction steps and exploit code, that Coros began to take the situation seriously.
What Coros users need to do
The company has accelerated its deadline , promising a partial fix by the end of July and a full resolution by August.
Coros’ initial response seemed to treat these critical security vulnerabilities as routine mistakes that could be chalked up to inexperience: While the issues are concerning, this appears to be the company’s first major security incident. Gadget columnist DC Rainmaker — the same reporter who initially brought the issue to Coros — argues that after this, Coros will likely have better public channels and internal processes for addressing future security issues.
But leaving that issue aside, what should you do if you own an affected device?
In a Reddit comment, Koros says that if your watch is up to date, you don’t need to do anything right now. But when their next software updates arrive in July and August, you should update your watch immediately to fix these vulnerabilities. Unfortunately, there are currently no effective workarounds to mitigate the vulnerabilities, as they are built into the devices’ Bluetooth communication protocols.
Summary
Even if you’re not a Coros user, it’s important to remember that all wearable fitness devices, despite their seemingly innocuous nature, can pose serious security risks. These devices often have access to very personal information — from health data and location tracking to text messages and notifications — making them attractive targets for hackers. As our wearables become increasingly complex and interconnected, it’s more important than ever to stay on top of security best practices.
And if you’re a Coros user, be sure to install all July and August updates as soon as they’re released.