ACG-CYBER SECURITY BULLETIN NR 398: Bluetooth Flaws in Smartwatch Allow Hackers to Track and Hijack

Posted on July 31, 2025

Reference Number: ACG-CSB 070125398

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

A popular fitness watch has serious Bluetooth security flaws that put users at risk. Security experts discovered that anyone nearby with the right tools can connect to the watch without permission. Once connected, hackers can take over the user’s account, read private notifications, view work out details, and even crash or reset the watch remotely.

The issue lies in how the watch connects to phones using Bluetooth. On Android phones, the watch allows direct access without proper pairing. On iPhones, it uses an outdated method that does not protect the connection with a code or encryption. This allows nearby attackers to enable unauthorized control over the device and impersonate the watch or the app, steal data, and gain control.

These vulnerabilities are dangerous. Hackers can track your movements, learn your routines, and potentially use this information for stalking or other physical threats. They can also access health information like heart rate and sleep patterns, which may be sold or used in scams. The watch does not provide any alert or indication when someone connects, so users remain unaware of any unauthorized access.

RECOMMENDATION

Here are practical tips to stay safe from Bluetooth-based attacks on smartwatches and similar devices:

Avoid pairing the watch in public areas where attackers may be present;
Monitor account activity for unusual logins or unauthorized settings changes;
Avoid using the watch to access sensitive messages or personal information;
Keep the watch within close range to reduce the risk of nearby attacks;
Turn off Bluetooth when not in use to minimize exposure to potential threats; and
Keep firmware and app versions updated to patch known security vulnerabilities.

For additional information, please refer to the following websites:

https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/
https://www.dcrainmaker.com/2025/06/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html

POINT OF CONTACT

Please contact PCOL JERRY V EMPIZO, Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.