Apple Watch Vulnerable to Theft With No Activation Lock

[nutmac]

How is this possible when it's out of range of the watch? Unless someone on the same wifi network steals it.

Apple Watch doesn't have GPS. If it's out of contact with your phone then there can be no option to wipe it.

It is possible to implement "lost" mode without WiFi and GPS as long as (1) user sets the passcode, (2) Apple Watch puts the phone in lost mode if repeated passcode entry fails, (3) when Apple Watch is in lost mode or erased/reset/new, it requires cloud-based (Apple server) activation.

 

[rigormortis]

i knew about this since the 26th, and i didnt want to tell anyone because fear of an apple watch scandal. i wrote tim cook and apple security about this issue. they sent me a reply a week ago basically saying this can be solved in a telephone conversation. so i called apple care. and the only thing apple could tell me to do was wait for a software update to come out..

the original source of this article was a post i made on appleseed.

if they are going to read my post and make an article about it the best thing they could do is give me some credit.

im glad this was released . i couldn't make up my mind if i wanted to post abut it or not. i was worried some jack ass from unbox therapy would make 20 million videos off of me.

here is the pdf of the thread i made back on the 1st

 

[rigormortis]

i would ike to say thank you to whoever it was that decided to violate his non disclosure agreement with apple computer just so he can get his name in lights. you are a real jerk and i hope you get sued

 

[thirteen1031]

Who says I have to wait for you to lock your bike? I'll grab it by force before you can lock it.

My. Miss the point much? The point you seem to have missed is that valuable things CAN have such deterrents (and yes, that includes the laptop taking photos—go ahead and google thieves getting their photos taken unawares and/or laptops directing police right to said thieves before they had time or knowledge to erase to OS).

Can such protections make sure that said valuable is utterly and totally theft proof? No. But if I have a car alarm, however weak, then that makes my car slightly less likely to be stolen than the car with nothing. And if I have a car with a strong car alarm (one that contacts the police—and, oh, how wounded I am that you doubt I have that....not!), then that ups the likelihood that my car won't be stolen over a car with no alarm or a weak car alarm.

The point: we can't erase theft, but we can dial it down. Absolutely—as the percentages of iPhone theft prove (you did read that didn't you?). Especially with electronic devices which can be disabled (unlike a bike) and made virtually worthless if stolen. But I don't quite understand why you're arguing over this. I don't believe you haven't any anti-theft deterrents on your valuable devices. A lock for your car or home at least? If you do, then why argue that they're worthless or pointless?

 

[Bot4Hire]

It is possible to implement "lost" mode without WiFi and GPS as long as (1) user sets the passcode, (2) Apple Watch puts the phone in lost mode if repeated passcode entry fails, (3) when Apple Watch is in lost mode or erased/reset/new, it requires cloud-based (Apple server) activation.

None of which helps because Apple neglected to close the loop to to speak.

Lose it or if it's stolen your SOL as it can be reset as new & you or Apple will be none the wiser.

 

[RnSK]

Stories like these amuse me...

...because underneath, this is the story:

"I don't like this product. I will do whatever I can to make it unsuccessful to drive the creation of a product I actually want."

Let's start with the basics: ANY THING can be stolen from ANY ONE with enough subterfuge or force. That said, the scenario we've had posited is someone has to remove the watch in such a way that it does *not* passcode lock (possible, takes practice) and put it on in such away that it still thinks it was never removed.

If this is unsuccessful, the only option an interloper has now is to wipe the device, effectively protecting your personal info, something *clearly* more valuable than the device itself...and we're complaining because there isn't a "Find My Watch" (yet) for something that hasn't even been on the street for a month?

And yes, we've seen all of the amazing "street magicians" relieve the gullible and inattentive from their loosely-latched watches...and believe me, these people are targeted...but I assure you Apollo and Friends aren't getting a properly secured Watch with a decent strap off of anyone clued up:

WWDC is in like 5 weeks. Why don't we wait before all of the hand-wringing, see if they come up with something?

-K

 

[C DM]

i knew about this since the 26th, and i didnt want to tell anyone because fear of an apple watch scandal. i wrote tim cook and apple security about this issue. they sent me a reply a week ago basically saying this can be solved in a telephone conversation. so i called apple care. and the only thing apple could tell me to do was wait for a software update to come out..

the original source of this article was a post i made on appleseed.

if they are going to read my post and make an article about it the best thing they could do is give me some credit.

im glad this was released . i couldn't make up my mind if i wanted to post abut it or not. i was worried some jack ass from unbox therapy would make 20 million videos off of me.

here is the pdf of the thread i made back on the 1st

What makes it seem that it was based on that particular thread rather than similar observations and similar suggestions that could be arrived independently? Why would it be a scandal when nothing of the sort was implied or advertised by Apple to be applicable to the Apple Watch?

----------

i would ike to say thank you to whoever it was that decided to violate his non disclosure agreement with apple computer just so he can get his name in lights. you are a real jerk and i hope you get sued

Why/how was any non-disclosure agreement violated?

 

[Bot4Hire]

...because underneath, this is the story:

"I don't like this product. I will do whatever I can to make it unsuccessful to drive the creation of a product I actually want."

Let's start with the basics: ANY THING can be stolen from ANY ONE with enough subterfuge or force. That said, the scenario we've had posited is someone has to remove the watch in such a way that it does *not* passcode lock (possible, takes practice) and put it on in such away that it still thinks it was never removed.

If this is unsuccessful, the only option an interloper has now is to wipe the device, effectively protecting your personal info, something *clearly* more valuable than the device itself...and we're complaining because there isn't a "Find My Watch" (yet) for something that hasn't even been on the street for a month?

And yes, we've seen all of the amazing "street magicians" relieve the gullible and inattentive from their loosely-latched watches...and believe me, these people are targeted...but I assure you Apollo and Friends aren't getting a properly secured Watch with a decent strap off of anyone clued up:

Image
Image

WWDC is in like 5 weeks. Why don't we wait before all of the hand-wringing, see if they come up with something?

-K

Gross. Whoever is wearing that should be as concerned with moisturizer lotion as they are about having the watch stolen.

 

[Benjamin Frost]

It's all well and good saying that the Apple Watch is an easy target for muggers.

Seems to me that Apple Watch wearers have already been mugged.

 

[C DM]

None of which helps because Apple neglected to close the loop to to speak.

Lose it or if it's stolen your SOL as it can be reset as new & you or Apple will be none the wiser.

And iPhones and iPads have been like that for years until more features were added as far as hardware/software goes to help with that. People still bought those devices and nothing crazy was really going on.

 

[rigormortis]

i wrote several letters to mister cook and product security since the 26th.
this was the only real response i ever got from apple.

 

[Bot4Hire]

And iPhones and iPads have been like that for years until more features were added as far as hardware/software goes to help with that. People still bought those devices and nothing crazy was really going on.

Isn't one wiser whom learns from past mistakes?

 

[rigormortis]

What makes it seem that it was based on that particular thread rather than similar observations and similar suggestions that could be arrived independently? Why would it be a scandal when nothing of the sort was implied or advertised by Apple to be applicable to the Apple Watch?

----------



Why/how was any non-disclosure agreement violated?

they obviously saw my post on an apple confidential forum and copied it.

 

[nutmac]

None of which helps because Apple neglected to close the loop to to speak.

Lose it or if it's stolen your SOL as it can be reset as new & you or Apple will be none the wiser.

Right, which is a bit of shame. Had Apple Watch require cloud-based activation from the very beginning, it would greatly reduce any loops thieves may exploit in the future.

Having said that, future Apple Watch OS can implement such thing and if Apple can make downgrading the OS impossible (or at least very difficult), it would great deter muggers from stealing the watch.

 

[Bromeo]

Keep in mind if your Watch is stolen, you might be able to make an insurance claim (possibly even on your credit card if within the first 60 days or so of purchase). Homeowner's and Renter's policies often cover personal affects while out and about, though your deductible/reserve may come into play there.

So says Apple:
"If Apple Watch is lost or stolen. If your Apple Watch is lost or stolen, sign in to your account at iCloud.com and remove your cards. Go to Settings > My Devices, choose the device, and click Remove All. You can also call the issuers of your cards."

I noticed the lack of Activation Lock when setting up my Sport model. I also tested the skin contact sensor and found I could defeat it with some slight-of-hand. The Sport band is very easy to unclasp, a feature I really like, but makes it that much easier for a skilled thief to pop the watch off one's wrist. One could take countermeasures, or use one of the non-fully opening bands I suppose.

Is it a critical flaw? I don't think so. Should it be improved? I believe so.

 

[Aidyn's X]

Wow. So if someone manages to steal a watch using this trick that is set up for Apple Pay, they can use it to make Apple Pay purchases without any further authentication? That would basically negate the additional security that Apple Pay is supposed to provide compared to physical credit cards (which is what Apple uses to justify getting a share of the transaction fees from the banks).

You need the iPhone with your credit card information in conjunction with the watch to make pay work on the watch.

 

[Lictor]

The pros who can pull off snatching a watch off your wrist without you noticing are not going to waste their time with a cheap Chinese made Apple Watch.

Why not ? They don't care if it's chinese, they don't care for how much it sells new. All they care is how fast and for how much they can resell it stolen. And from that point of view, Apple Watch is better than Rolex...

 

[Benjamin Frost]

Does my wife's engagement ring have activation lock? Does my Panerai or Rolex?

Gosh you people must live in the ghetto. Theft is the last thing on my mind in normal life.

Don't forget that Apple markets to thugs now, what with Beats, Dre, etc. They're probably banking on lots of these Apple Watches being stolen so as to increase the desperately low sales.

----------

That's not the problem the thief has to worry about. They'll sell the watch to someone who has the right phone and wants the watch, just doesn't want to pay $700 for it and the band. If they can sell that $700 watch/band for $300, they've made quick and easy money.

And imagine if they've stolen five of those watches...

Come now. They wouldn't go that far. It wouldn't be fair to steal the total number of Apple Watches sold.

 

[C DM]

they obviously saw my post on an apple confidential forum and copied it.

That's what I'm basically asking, how is that evident, let alone obvious?

 

[Benjamin Frost]

Watches can be stolen


Thanks for the news update macrumors

Glad to see that good manners still exist, even if it is with poor grammar.

 

[C DM]

Isn't one wiser whom learns from past mistakes?

Why were those things in the past mistakes? Not everything under the sun is thought of and implemented right away, otherwise everything already would have been invented and done long ago.

As far as applying something that has been created for another set of products to a brand new one, sometimes it's not completely simple to do and decisions are made as far as what's more important to work out every possible thing that could be imagined before releasing something (which would delay it pretty much indefinitely) or release it with whatever is reasonable for a first generation product and work on improvements as time goes on. Applies to pretty much any product and service out there, and has been for a long time really.

Utopia would be perfect, just not realistic (again, applies to pretty much everything).

 

[Aidyn's X]

the original source of this article was a post i made on appleseed.

if they are going to read my post and make an article about it the best thing they could do is give me some credit.

So because you made a thread about it means that they ripped you off? How do you know that your post was the source of this article? You don't think anyone else in the world thought of the same thing you did independently of your thread on appleseed? Heck, both Newton and Leibniz came up with Calculus (a field of mathematics) at the same time independently and Alexander Graham Bell only made it to the patent office hours before another person with the same idea for the telephone. But thanks for letting us all know that you were the whistleblower on this one.

 

[adambigjohn]

Not sure how they would do it

Seems like bigger issues are at play like crime rates and social factors driving this. I'm not sure it's up to Apple to solve this problem with a kill anti-theft feature which will impact usability.

That said, perhaps they could extend the passcode to protect more than the data or demand a code when the watch has been apart from the paired iphone for a set amount of time?

 

[MrXiro]

that is why I keep a large knife on me at all times... I will cut off the hand that touches my watch.

 

[Bot4Hire]

Why were those things in the past mistakes? Not everything under the sun is thought of and implemented right away, otherwise everything already would have been invented and done long ago.

As far as applying something that has been created for another set of products to a brand new one, sometimes it's not completely simple to do and decisions are made as far as what's more important to work out every possible thing that could be imagined before releasing something (which would delay it pretty much indefinitely) or release it with whatever is reasonable for a first generation product and work on improvements as time goes on. Applies to pretty much any product and service out there, and has been for a long time really.

Utopia would be perfect, just not realistic (again, applies to pretty much everything).

The watch is a tech device & simple security options should follow already released products.
What you are saying is that it's acceptable that Apple didn't learn anything from past software upgrades.
For a 350-17k watch to simply be erased so easily should be unacceptable.