A blogger has discovered what could potentially be a rather serious security flaw with the Apple Watch, with crafty thieves able to trick the wearable into believing it is still being worn by its owner.
The flaw exploits a feature of the Apple Watch that uses sensors to detect when it is being worn on a wrist. When you put on the Apple Watch you enter in your security pin, then as long as the Apple Watch knows it is still in contact with the wrist, you don't have to enter in the pin again.
This feature makes using the Apple Watch to pay for things via Apple Pay more convenient, but it's also open to exploits.
Bait and switch
When the sensor detects that the wrist is no longer in contact with the Apple Watch, the wearable locks itself, requiring you to enter in a pin next time you wear it. If someone removes it from your wrist and puts it on themselves, they will need to enter in that pin.
However it was discovered that there are two weaknesses to Apple's implementation; the first is that the sensor takes about a second to detect that it's not being touched by the wrist. While this means that it doesn't accidentally lock itself when the Apple Watch moves when being worn, it does provide thieves with a window – no matter how slight.
The other weakness is that the sensor cannot differentiate between a wrist and a finger, so someone could steal the Apple Watch and then place a finger over the sensor to keep it from being locked.
The thief could then use your Apple Watch to pay for things without having to enter in any pin. The blogger at WonderHowTo posted a video on how this flaw could be exploited.
As you can see from the video it is tricky to pull off, and will be very difficult to perform without the wearer noticing, but it is possible.
We also tried the method here and can confirm that it does work (don't worry, we returned the Apple Watch to its owner afterwards).
Although you might be concerned that by posting a video on how to do this will simply teach thieves the trick, it should hopefully bring the issue to the attention of Apple, who could eliminate the risk by reducing the time the sensor takes to notice it's not attached to the wrist, or by replacing it with a more sophisticated device in the next model.
Until then, be extra weary and if your Apple Watch does get stolen make sure you cancel any cards connected to the device to be on the safe side.
- Read our review of Apple Pay