CVE-2025-32876 identifies a security vulnerability in the Bluetooth Low Energy (BLE) implementation of COROS PACE 3 smartwatches up to firmware version 3.0808.0. The core issue lies in the device's use of BLE Legacy Pairing rather than the more secure LE Secure Connections mode. BLE Legacy Pairing relies on a Short-Term Key (STK) derived from a Temporary Key (TK), which in this case is fixed to zero due to the use of the Just Works pairing method. This method does not require user interaction or authentication, making the TK trivially guessable. Consequently, an attacker within Bluetooth range can perform passive sniffing attacks to eavesdrop on the communication between the smartwatch and paired devices. This compromises the confidentiality of data transmitted over BLE, such as health metrics, notifications, or other sensitive information. The vulnerability does not require active exploitation or user interaction beyond proximity, and no authentication barriers prevent an attacker from capturing the BLE traffic. Although no known exploits have been reported in the wild, the fundamental weakness in the pairing protocol presents a significant risk to user privacy and data security. The lack of LE Secure Connections support means that the device does not benefit from the stronger cryptographic protections introduced in Bluetooth 4.2 and later standards, which mitigate passive eavesdropping risks. This vulnerability is specific to the COROS PACE 3 smartwatch and its BLE implementation, affecting all devices running vulnerable firmware versions prior to a patch or update that enables LE Secure Connections or otherwise strengthens pairing security.

For European organizations, especially those in sectors where employee health and fitness data are monitored via wearables, this vulnerability poses a privacy and security risk. Sensitive personal data transmitted by the smartwatch could be intercepted by malicious actors, potentially leading to unauthorized disclosure of health information or other personal identifiers. Organizations that issue COROS PACE 3 devices to employees or integrate them into workplace wellness programs could face compliance challenges under GDPR due to the risk of data leakage. Additionally, if the smartwatch is used in conjunction with enterprise applications or paired with corporate devices, the intercepted BLE traffic might reveal contextual information about user activities or device states, which could be leveraged for targeted social engineering or further attacks. The vulnerability also raises concerns for high-profile individuals or executives using these devices in sensitive environments, where eavesdropping could facilitate espionage or surveillance. While the attack requires physical proximity (Bluetooth range), the ease of exploitation and lack of user interaction mean that attackers could discreetly capture data in public or semi-public spaces. The overall impact is primarily on confidentiality, with limited direct effect on device integrity or availability.

To mitigate this vulnerability, organizations and users should prioritize updating the COROS PACE 3 firmware as soon as a patch enabling LE Secure Connections or an equivalent security enhancement is released by the vendor. Until such updates are available, users should disable Bluetooth connectivity when not actively pairing or transmitting sensitive data to minimize exposure. Employing physical security measures to limit unauthorized access within Bluetooth range, such as restricting device use in sensitive areas, can reduce risk. Additionally, organizations should consider implementing endpoint security controls that monitor and restrict Bluetooth communications on paired devices, potentially detecting anomalous scanning or sniffing activities. For environments with heightened security requirements, replacing vulnerable devices with alternatives supporting LE Secure Connections and stronger pairing methods is advisable. User education about the risks of BLE Legacy Pairing and the importance of controlling device proximity can further reduce attack surface. Finally, integrating network-level encryption or application-layer security for data transmitted to and from the smartwatch can provide defense-in-depth against eavesdropping.