Click to Skip Ad
Closing in...

Potentially big Apple Watch vulnerability could let thieves use Apple Pay on stolen watches

Published May 20th, 2015 10:20AM EDT
Apple Watch Security Flaw
Image: Zach Epstein, BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

A potential security vulnerability recently detailed by a blogger may have uncovered a serious flaw in the Apple Watch’s design that could lead to some big headaches for some users. In a nutshell, a nifty feature designed by Apple to maintain security on the Watch without sacrificing convenience may have actually ended up sacrificing security instead, allowing thieves to continue using Apple Pay on a stolen Watch without having to input the owner’s PIN code to confirm purchases.

It should be noted, however, that the procedure detailed by the blogger in question did not yield consistent results. As such, a thief would seemingly need a bit of luck in order to ensure that he or she can exploit this vulnerability.

DON’T MISS: Netflix is testing a redesign that users are going to love – see it first right here

The security setup on Apple’s Watch is actually quite brilliant. Using sensors beneath sapphire crystal on the back of the device, the Watch knows when it is being worn on a user’s wrist and doesn’t require the owner to input the device’s security code while the Watch is being worn. This also allows users to make payments with Apple Pay without the need to verify them by inputting a PIN.

These sensors can also detect when the Watch has been removed from a person’s wrist. Once that detection has been made, PIN code security is re-enabled.

Herein lies the potential problem. As detailed in a recent post on WonderHowTo, there is actually a delay of about a second between when a Watch is removed from the wrist and when PIN security is re-enabled.

This delay is likely in place to ensure that security isn’t accidentally enabled when the Apple Watch shifts on a wearer’s wrist, but it also could enable a vulnerability that can be exploited by crafty thieves; the Watch cannot distinguish between a wrist and a finger, so a thief could snatch a Watch off of a wearer’s wrist and then quickly cover the sensors with his or her fingers in order to keep PIN security disabled.

A successful swipe using this method would give the thief access to what little personal data is stored on the Watch. Beyond that, it would allow the thief to make purchases using Apple Pay without having to authenticate them. Then, once the damage is done, he or she can reset the Apple Watch using the vulnerability we detailed in an earlier post, and then sell it using sites like eBay or Craigslist.

The video embedded below shows how simple it is to exploit this vulnerability.

Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 15 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content. Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment.

His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.