Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Series 3 Today?
- Thread starter MacPoulet
- Start date
- Sort by reaction score
I highly recommend downloading an application called "MacTracker" (https://mactracker.ca/). It keeps track of all updates. But, according to MacTracker, the most recent version for Apple Watch 3 was version 8.8.1, released on June 21, 2023. I do not expect another update.
And how would a watch get hacked? Can you walk me through the steps of what point where the watch would get hacked when data is either being at rest, or transmitted (or maybe even changed?).
Still rocking my Apple Watch Series 3 and will continue to do so until death does us apart.
The last update was like months ago and I could not care less.
I'd think that Apple would release a security patch for attack vectors like Bluetooth and WiFi as it is still quite popular.
When it dies I'll probably replace it with a dumb watch again.
The last update was like months ago and I could not care less.
I'd think that Apple would release a security patch for attack vectors like Bluetooth and WiFi as it is still quite popular.
When it dies I'll probably replace it with a dumb watch again.
Just look at the news reports on Pegasus RSO. It used to be they’d send a text with a payload. Now they don’t even need that, just your number. It’s a cat and mouse game that is highly profitable for the companies because any country or organization can purchase the software. Yeah you’d have to be targeted, but it’s not like anyone will tell you if you’re being targeted will they?
Pegasus uses nation-state funded exploits to tune of millions of dollars, and they don't burn them on regular people because they are gone quickly once released/used. If you're in the class of people this might matter to, then be more careful...for everyone else, however, don't lose sleep.
Pegasus (and most modern exploits) are a spear phasing type of attack. They find a specific exploit for a specific person for a specific reason.
Are you a high targeted individual? Are you the CxO of a Fortune 500 company? Are you a well known terrorist? Are you a Head of State - or on a first name basis with such a person - of a G20 nation? If yes, you will be targeted with a Pegasus type attack. Otherwise, ignore it, there is no reason why people who develop those exploits will waste it on people like you and I.
The days of leaving an unpatched piece of equipment exposed to the internet and getting instantly hacked are long gone.
Potentially through processing a malicious iMessage or graphic sent to it. Or connecting to a malicious wifi network if the software is old enough and not patched.
Sure, but eventually the exploits get leaked and if you haven't been patched since the methodology became public domain - guess what?
Once an exploit is patched, it doesn't mean it isn't still out there in active use for devices that haven't got the updates.
The TLAs stop using it, but the skript kiddies get their hands on it and try their hands at whatever it will work against.
Is the risk low? Sure, but it certainly isn't non-existent.
Yeah not that low. Remember that list of users Apple sent out who they knew had been hacked? That was just the ones Apple knew about and was willing to release. I’m sure many many people haven’t been hacked. It’s not that comforting for me though. If I can do what I can to avoid it, knowing if anyone REALLY wants what’s on my watch, they’ll get it. But why make it easier by running an outdated OS with no security updates? It’s the difference between having a pickable deadbolt locked on your front door and having the door with the lock open and a piece of masking tape holding the door closed saying “please don’t open.” Neither is perfectly secure but one is a bit harder to open than the other.
Source please.
>The TLAs stop using it, but the skript kiddies get their hands on it and try their hands at whatever it will work against.
Also, I don't think that's how those exploits are used :O Is this something you're just guessing about, or do you have a source that "script kiddies" have attempted to use the Pegasus exploit?
Again, what type of exploits or security failures exist? For example, how is data encrypted between the watch and the phone? The key exchange method is IPSec, and all communication is done via AES, per https://support.apple.com/guide/security/system-security-for-watchos-secc7d85209d/web
To violate Apple Watch security means that IPSec and AES would be violated in some way. To my knowledge, neither one of these two protocols have been violated.
BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild - The Citizen Lab
Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. We refer to the exploit chain as...
citizenlab.ca
That's for iPhone, not sure if it impacted the watch (or if nobody bothered but given the shared code... I'd be assuming your watch is potentially vulnerable if not patched to the same level as a fixed phone), but zero click exploits for iOS are and have been a thing as recently as last September.
If you're not patched to that level, you're potentially vulnerable.
Oh I've also been responsible for enterprise security for a 7000 employee company and following this stuff for 15 years plus now so... no I'm not just guessing about this stuff. I've been involved in this space for a long time now.
Now, once the CVE and patches are released - they get reverse engineered by others to create their own exploits with for those who don't or can't patch. Also to examine if there's another similar/related exploit that wasn't fixed with the original patch.
The CVE announcement/patch isn't the end of the bad stuff happening, not by a long shot.
edit:
the related zero days were also present in watchOS - any version prior to the fixed release in September 2023:
Apple discloses 2 new zero-days exploited to attack iPhones, Macs
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year.
You can have all the encryption you like between the watch and the phone, if either device is compromised the data is likely accessible in its unencrypted form at rest inside the device. The Secure Enclave is only used for keys used to decrypt or encrypt with, it isn't used to store all data that is on the device and at runtime, much of it will be unencrypted.
All encryption between the two devices does is prevent sniffing it in transit between the devices, it does nothing to protect you from device compromise enabling a bad guy to get access to the cached copy of your data stored on device.
Now don't think I'm taking a dump on apple for this. It is what it is, and Apple's done a much better job of device security than most. But you still need to keep up to date with patches.
So do you recommend having a watch that is supported?
I seldomly use the watch (Series 3, not supported anymore) for apple Pay - most of the time I use my iPhone for that (13 Pro, so still supported for a while)
Honestly, I don’t know. I used the series 3 until it wasn’t supported anymore. I switched cell providers, so they made it easy to update to a new watch at the same time. I’m not exactly a security expert, I’m just trying to think about this logically. I mean, if I had a choice, I’d be sure mine was still supported. It’s more that I’m thinking about the OP’s question, and I’m not sure I could recommend buying a series 3 at this point, given how slow it is, and its lack of support.
The security standards, IPSec and AES, have not been violated where exploits are possible. Series 3 can still connect to the newest iPhones as well. From a security viewpoint, as long as you're not a high risk targeted individual (you'd know if you are), you'll be fine.
Thanks
I'll keep my S3 for now as I just ordered a new camera lens.
1 purchase at a time lol
Thanks
Autofocus could be a bit faster but it's not a deal breaker at all
My camera has a crop sensor so it's the equivalent of 75mm
Great image quality, nice creamy bokeh
Yeah I have a manual Nikon 50mm f1.2 I’ve used on Panasonic GH crop sensor cameras for more than a decade. I have a 28mm as well but I think it’s f2.0 if I remember correctly.