A potential security vulnerability recently detailed by a blogger may have uncovered a serious flaw in the Apple Watch’s design that could lead to some big headaches for some users. In a nutshell, a nifty feature designed by Apple to maintain security on the Watch without sacrificing convenience may have actually ended up sacrificing security instead, allowing thieves to continue using Apple Pay on a stolen Watch without having to input the owner’s PIN code to confirm purchases.
It should be noted, however, that the procedure detailed by the blogger in question did not yield consistent results. As such, a thief would seemingly need a bit of luck in order to ensure that he or she can exploit this vulnerability.
The security setup on Apple’s Watch is actually quite brilliant. Using sensors beneath sapphire crystal on the back of the device, the Watch knows when it is being worn on a user’s wrist and doesn’t require the owner to input the device’s security code while the Watch is being worn. This also allows users to make payments with Apple Pay without the need to verify them by inputting a PIN.
These sensors can also detect when the Watch has been removed from a person’s wrist. Once that detection has been made, PIN code security is re-enabled.
Herein lies the potential problem. As detailed in a recent post on WonderHowTo, there is actually a delay of about a second between when a Watch is removed from the wrist and when PIN security is re-enabled.
This delay is likely in place to ensure that security isn’t accidentally enabled when the Apple Watch shifts on a wearer’s wrist, but it also could enable a vulnerability that can be exploited by crafty thieves; the Watch cannot distinguish between a wrist and a finger, so a thief could snatch a Watch off of a wearer’s wrist and then quickly cover the sensors with his or her fingers in order to keep PIN security disabled.
A successful swipe using this method would give the thief access to what little personal data is stored on the Watch. Beyond that, it would allow the thief to make purchases using Apple Pay without having to authenticate them. Then, once the damage is done, he or she can reset the Apple Watch using the vulnerability we detailed in an earlier post, and then sell it using sites like eBay or Craigslist.
The video embedded below shows how simple it is to exploit this vulnerability.