Apple Watch security bug

Discussion in 'Apple Watch' started by ZEEN0j, Dec 12, 2015.

  1. ZEEN0j macrumors 6502a

    Joined:
    Sep 29, 2014
    #1
    Just noticed something that I believe is not intended behavior. Me and my daughter was in the middle of our daily wrestle match, when I decided to check her pulse through the complication. Removing the watch from my wrist I had to input my passcode to get to the complication on her wrist. But when I got a reading of her pulse and then removed the watch it did not lock and I could place it on my wrist without having to input my code.

    In short you can in theory remove someone's watch and put it on your arm and access everything. But then again if someone managed doing all that they deserve my watch.
     
  2. TxWatch macrumors 6502

    TxWatch

    Joined:
    Nov 30, 2015
    Location:
    Texas
    #2
    There is a how to write up showing this exact scenario. The person stealing it from you would have to be a "master" pickpocket or you would have to be in a condition of not knowing (or not caring??). Either asleep or drunk would probably fit the criteria ... :confused:

    http://ios.wonderhowto.com/how-to/a...ieves-use-apple-pay-without-your-pin-0161940/

    I suppose it could happen, but I do not use mine for Apple Pay anyway.

    TxWatch
     
  3. Rok73 macrumors 65816

    Rok73

    Joined:
    Apr 21, 2015
    Location:
    Planet Earth
    #3
    I noticed that if I take it off quickly enough and then touch the backside with one or two fingers it doesn't lock.
     
  4. Julien macrumors G3

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #4
    Easer to just pick someone's pocket. I bet there is not a single documented case of someone stealing an :apple:Watch and using :apple:Pay from it.
     
  5. jasie02, Dec 13, 2015
    Last edited: Dec 13, 2015

    jasie02 macrumors 6502a

    jasie02

    Joined:
    Sep 18, 2014
    #5
    Here is how wrist detection work, with wrist detection activated:
    1) If watch is remove from wrist, it will lock in 1-2 second. Not enough time to steal by other people and place on their wrist.
    2) If owner enter passcode and unlock it, it will unlock as long as display not timeout. So as long as owner (assume only owner has passcode), touching screen, turning/pushing dial/button, it will remain unlock. This is decide by Apple to allow user to continue use AW as long as no timeout occurred.
    3) Once display timeout, it will lock right away.

    This is no different than iPhone. If you have a iPhone, you unlock it, before display timeout, you left it on the table, someone pick it up, they will be able to see anything on it. But with activation lock and WatchOS2.0+, you could make it useless by goto iCloud.com and declared missing. Then AW could no longer could be pair with other iPhone.

    This is similar if not same security measurement as iPhone, provided you have WatchOS 2.0+.
     
  6. TxWatch macrumors 6502

    TxWatch

    Joined:
    Nov 30, 2015
    Location:
    Texas
    #6
    While I agree the chance of someone stealing your Watch and going on a spending spree with Apple Pay is quite low, lets not fool ourselves and say it is not possible. I was able to remove my wife's Watch Sport and put it onto my wrist without it locking the first time I tried. I flipped the band open, slid my two fingers under the Watch and held it until I was able to turn and place it onto my wrist. The 1 second delay window was enough time for me to do both moves with relative ease. As a thief, I would have until the battery runs out to try Apple Pay at various stores without knowing her credit card information or passcode. (This is assuming she did not report it missing, etc.)

    Could I have done it without her "cooperation"? Probably not, because I am not a trained thief or master pickpocket. However, I could have done it if she was asleep or otherwise unaware, as I mentioned previously.

    As some have pointed out in other threads, the Apple Watch does not work 100% with Apple Pay systems due to low power issues, so it might require the thief to use their own money or just walk away without buying at the point of sale. ;) (Awkward)

    Again, I will say the likelyhood of any of this happening is quite low, but definitely possible.

    TxWatch
     
  7. jasie02 macrumors 6502a

    jasie02

    Joined:
    Sep 18, 2014
    #7
    One of biggest different between iPhone and AW is when AW is stolen off you wrist, you should know, and should be able to disable it with iPhone right away. Who ever stole it will have to continue touching it to keep display alive before try to use stolen AP. Try to change passcode will required old passcode. As soon as display timeout, game over for thief try to use stolen AP.

    Is it possible thief could keep display alive, yes, it is likely in real life, not likely. In fact, I will say I am comfortable to bet on it, until someone know a real case of thief able to steal AW, owner has no idea it was stolen off his/her wrist, and thief has to keep touching watch all the time, maybe touching while driving to store, walk to store, shop in store, and while try to use it.

    Imaging you see someone driving keep touching AW, in the store keep touching AW all time when shopping and also keep touching display waiting in line, and in front of cashier.
    I will pay to see that in action. :)
     
  8. TxWatch macrumors 6502

    TxWatch

    Joined:
    Nov 30, 2015
    Location:
    Texas
    #8
    I agree you "should" know your Watch is missing under normal circumstances, but not if your are out cold. :D

    Not sure what you mean by having to keep touching it. As long as the thief places the Watch on their arm, it will stay unlocked. Try it for yourself. Move your watch from the arm you wear it on to the other arm. As long as you keep your fingers on the sensors under the Watch, it is very easy to do. Once it is on your other arm, it is still unlocked and AP will work even if your iPhone is no longer in range.

    TxWatch
     
  9. adamhenry macrumors 65816

    adamhenry

    Joined:
    Jan 1, 2015
    Location:
    On the Beach
    #9
    So which is easier? Knocking someone out and stealing their watch or cutting off a finger and stealing their phone?
     
  10. TxWatch macrumors 6502

    TxWatch

    Joined:
    Nov 30, 2015
    Location:
    Texas
    #10
    Thanks for the laugh! I had not considered cutting off a finger an issue for unlocking my iPhone, but that is also possible! :rolleyes: It my case, it will be my thumbs they have to cut off.

    For the out cold comment, I was thinking more of the people who cannot remember how they got home. The next day they will wonder what happened to their Watch and it will be too late to report it as missing because their AP will have maxed out all their CCs.

    TxWatch
     
  11. jasie02, Dec 13, 2015
    Last edited: Dec 13, 2015

    jasie02 macrumors 6502a

    jasie02

    Joined:
    Sep 18, 2014
    #11
    You are right about stay in unlock, but it will required everything done in less than 2 second.

    But, if you are out, and unless you are in your own house, you likely have iPhone, wallet, & keys with you, with touch ID finger attached to you easily accessible to unlock iPhone. Thief will likely unlock your iPhone, steal your wallet and keys, maybe even take your clothes. :)
    If they have time to remove your watch, when you are so out did not even know your watch is gone, they have time to steal everything on your body, maybe all the way down to your underwear or less.

    So don't get drunk/drug and out by yourself.

    Added: assume you mention out cold only because it is likely event for you or anyone you know, or has experienced, totally out cold outside of your house by yourself or someone you know, so someone could steal your/someone-you-know's watch without knowing, and there is no friend with you/someone-you-know to at least let you/someone-you-know know someone stole your watch. Other wise, it is just a possible but unlikely event, right?
     
  12. TxWatch macrumors 6502

    TxWatch

    Joined:
    Nov 30, 2015
    Location:
    Texas
    #12
    2 seconds is not the issue. I can hold the Watch in my hand for as long as I want as long as my fingers are on the sensors. The Watch does not know it is on a wrist or a finger or the palm of your hand, as long as it "sees" something without a 1 second disruption, it will remain unlocked. Good or bad, that is how it works.

    It has never happened to me or anyone I know, but I have heard stories on the Internet... As you point out, the chance of someone stealing my Watch for AP is probably as unlikely as someone cutting off my thumb to get at the AP on my iPhone. But we were talking about possibilities, not probabilities, weren't we? :cool:

    Thanks for the thoughtful replies and the humor. I think we can put this one to rest!

    TxWatch
     
  13. bcollett macrumors newbie

    Joined:
    May 5, 2015
    #13
    Heart rate isn't the only thing that keeps the Apple Watch unlocked, if you rotate the crown into Time Travel it will ignore the sensor as well.
     

Share This Page