How I discovered a vulnerability that would allow anyone to see the heart rate of elite athletes?

Posted by Zhouhan, edited by Phyo in July 2022





This is my first blog about hacking. I have debated for a long time if I should publish it or not. On a technical level, the vulnerability I discovered is not that complicated. There is no zero-day exploitation, no assembly code, no reverse engineering, or any crazy stuff people talk about on bug bounty programs.

Yet I still want to tell you my story. I want to show you that hacking is not all about writing complex scripts. Is about patience, imagination, and a little bit of luck. Hacking it a science, but also an art.

If you have read some of my blog posts, you know I'm a runner. In 2021, I bought a sports watch from a company called COROS. The brand is a rising star among distance runners. Elite athelets such as Eliud Kipchoge wears it to track heart rate, daily mileage, and other biometrics.

As a security researcher, I have a habit of looking up subdomains of some companies. In security this is called "asset discovery". Some companies may create a subdomain for internal use, but unintentionally expose the name to the public. It turns out, COROS made such a mistake.

Responsive image
Investigating a subdomain can be time-consuming. Which one should I investigate? This is where luck and imagination kick in.

I used Pentest Tools to find subdomains. When I put coros[.]com into the search box, an interesting subdomain pops up -- jenkins[.]coros[.]com. Jenkins is an "open source automation server to support building, deploying and automating any project."

Was this subdomain used by developers? To learn more, I used nmap to discover open ports on this subdomain. The result is eye-opening -- 15 ports were open to the public.

Most ports are not interesting or are password-protected. After a lot of trial and error, I finally connected to port 3690, which runs the SVN server. SVN is a version control system similar to Github. For some reason, the developer did not add any password to the server! I suddenly realized that I have access to the source code running inside each COROS sports watch!

Responsive image
Open port is not good. Why? Imagine a server is your house, and each open port is a door. Do you want to have 10 doors in your house? Even if each door is locked, is still risky.

I immediately started to draft a vulnerability report to COROS. To assess the severity, I did a string search in the codebase to find any line of code with "password". I was shocked to find that the developer hard-coded username, password and hostname (URL) to connect to the database.

With the username and password, I was able to connect to the database. When I searched for my own name "Zhouhan", I found detailed entries about my running trips, heart beat, stride length, etc,. Since the watch is also used by elite athelets, I'm pretty sure their biometric data is also there...

I stopped searching. I asked myself -- how was that possible? If a developer added a firewall rule to only allow company IP to visit the subdomain, or if someone added password to the SVN server, I would not be able to discover anything substantial. A small mistake can lead to a serious incident.

So this is my hacking story. I was "somewhat technical" (knowing how to connect to a server, search for a string), imaginative (there are so many websites/targets out there, why COROS? because I'm a runner!), and lucky (what if a developer closed that port 1 day, 1 hour, or 1 minute after I started?).

Responsive image
COROS team is very responsive.
I reported all vulnerabilities to COROS (more than 90 days ago). The team has confirmed that they have fixed the issue and that no compromise happened during that time. They also gifted me a new sports watch. The watch is good!