Security vulnerability: Apple Watch, iPhone and Apple Pay
If you own an Apple Watch, there is a security vulnerability that could compromise your Apple Pay cards. Let’s explore.
Let’s say you’re on vacation and you decide to visit that cute little patio coffee shop. Naturally, you’re sitting, sipping and enjoying your coffee. Your wrist adorned with your new Apple Watch is sitting on top pretty wrought iron fence. Someone comes along and grabs your Apple Watch off your wrist and runs away. What do you do? Chase after them to get it back? Oh, but they’re already gone. So then, try to disable the watch on your iPhone? So, here’s the dilemma (and the vulnerability). As soon as you unlock your iPhone, your watch is now quite vulnerable thanks to Apple.
Unlocking your iPhone
Apple has recently pushed an update that automatically and, by default, unlocks both your Apple Watch and your iPhone merely by unlocking your phone… so long as the watch is on anyone’s wrist (it doesn’t have to be your wrist). And herein lies the vulnerability.
So now, that thief who has just stolen your Apple Watch is standing close enough to still get a connection from your iPhone. The thief already knows what will happen after you unlock your phone. So, they patiently wait until you unlock your phone. Then, they get access to your stolen watch’s data until you A) Mark as Missing or B) remove all your credit cards from your wallet. It’s doubtful you can unpair the watch once they have taken it out of range of the Bluetooth/WiFi, but you can mark it as missing.
The thief will wait just long enough to get the watch unlocked and then run for it to get out of connection range. This may allow them to get access to the Apple Wallet and skim your cards from NFC. They could even still do it while in range of your phone, especially if you somehow hadn’t noticed the watch was missing (i.e., you had taken it off and placed it in your bag).
Fixing the Vulnerability
It’s quite amazing that this exists, a stupid security feature from the same company that’s trying to defend itself from unlocking a terrorist’s iPhone for a judge. Hypocritical much? No no, mustn’t unlock a phone for a judge. But, it’s perfectly okay to give thieves access to Apple Pay credit cards by enabling this dual unlock feature. First thing I’d immediately recommend is going into the Watch app on your iPhone and disabling this feature pronto! You’ll find that the Apple Watch itself also has this setting available under Passcode, but thankfully it can only be enabled or disabled on the iPhone.
However, this feature should not be available at all, Apple.
While you are still in possession of both your Apple Watch and your iPhone, you should immediately disable this feature. On the iPhone, it’s under Watch app=>My Watch (Screen)=>Passcode=>Unlock with iPhone set to OFF.
You’ll need to perform this while you are in possession of both devices, before your watch is stolen or misplaced. If you fail to make this change now, you cannot make this change after it is stolen. You can only mop up the mess.
Reactive Measures — My Apple Watch has been stolen!
If you leave the Unlock with iPhone setting enabled, anyone wearing your watch will see it unlock as soon as you unlock your iPhone if they are still in connection range (possibly 30 feet or so, but could be farther). So, you realize your watch is missing and the first thing you do is think, “I need to delete my Apple Watch from my phone”. However, merely by unlocking your phone, you may have just now given the thief access to your watch and to anything on that watch including your Apple Pay credit cards. This means they can activate the NFC on the watch and skim those card numbers off or even use them to charge in shops around the area, possibly even for the entire day until you remove the cards from the wallet. This gives the thief access to wallet and your credit cards until the watch runs out of battery or it locks again once taken off. Or, until you have taken measures to remove the cards from Apple Pay and have marked the watch as missing.
It’s very important to understand exactly how exposed you are by using the Apple Watch with the Apple Pay when enabling the Unlock with iPhone feature. But, you have to know that it’s stolen to take these measures.
What do you do after it’s stolen?
Assuming you know that the watch has been stolen, the first thing you should do before unlocking your iPhone is disable Bluetooth and WiFi. How do you do this? At the > Slide to Unlock screen do not unlock the phone. Instead, swipe up from the bottom of the screen to the top. This will bring up the quick access menu that lets you manage items like WiFi on/off, Airplane mode on/off, Flashlight on/off and, yes, Bluetooth on/off. From the quick access menu, you need to disable both WiFi and Bluetooth before ever unlocking your iPhone. Because Apple Watch relies on Bluetooth and apparently an adhoc WiFi connection, the signal that you’ve unlocked won’t be sent to your nearby watch. It doesn’t seem to send this signal when your phone is on a carrier LTE or 4G data network. However, disabling Bluetooth or WiFi alone is not enough. The Watch can still connect to the cloud if close to a WiFi network it knows about. If you’re out on the street, that’s not likely. If you’re in or near your hotel, it might.
If you are not sure where your watch is, you should disable WiFi and Bluetooth before unlocking your iPhone. Once you’ve disabled WiFi and Bluetooth, go into Watch app=>My Watch=>Apple Watch and then Mark as Missing (making sure you have access to an LTE or 4G data network). You will not be able to disable the Unlock with iPhone feature while the watch is locked even if you reenable both WiFi and Bluetooth. In fact, if you do enable WiFi and Bluetooth, the app seems to remember the last unlocking for some period of time and will pass that unlock to the watch to unlock it. You don’t want to do this.
Whatever you do, don’t enable WiFi and Bluetooth until you’ve selected Mark as Missing under the Apple Watch menu. The last thing you want to happen is the iPhone to send an unlock signal to your watch.
Didn’t notice the watch was missing?
If you’ve left the watch in a hotel room or at pool or on the beach, you may have inadvertently unlocked the watch for a thief while you did not know the watch was missing. In this case, you should immediately Mark as Missing (see above). The second thing you will need to do is go into Wallet and Apple Pay is remove all credit cards from this area. This will deauthorize the card from Apple Pay and prevent the watch from making any further purchases with your cards.
Because Apple Pay creates a unique new Apple Pay card ID for each card, the thief won’t get access to your actual card number. But, a thief can still skim these unique numbers from the NFC and continue to use the numbers as long as you have not removed the card from the Wallet and Apple Pay menu. See ‘Thievery at its finest’ below for a caveat on skimming of NFC Apple Pay card numbers.
You should also call all of your credit card companies and let them know the period of time the watch was lost. While replacement of the cards is not necessary due to the way that Apple Pay registers new card numbers for use, it might still be a good idea just to be safe.
Forever losing things?
If you’re one of those people who is prone to losing or misplacing your stuff (especially things like Watches), then you need to head back up to Preventative Measures and disable Unlock with iPhone while you still have both your iPhone and Apple Watch in your possession. In fact, you can do it now while I wait here… patiently… for you to open up Settings on your iPhone… and disable Unlock with iPhone. Yes, you. Go do it now.
Okay, so now that that’s done. You did go do it, right? Okay, just checking. Assuming you didn’t lie about disabling it, there is no way a thief can get access to your Apple Watch by being in proximity of your iPhone if stolen or lost (i.e., like at the beach or at a pool).
If you are the type of person who loses things regularly, you might not even want to enable Apple Pay on the watch at all. Though, if you have a credit card on file for iTunes, Apple tries to be nice and imports this card into your watch on your behalf after its first setup. You should immediately go into the Watch app on your phone and remove that card. You can always add it back if you like.
Thievery at its finest — (the thief who returns most of what is stolen)
If you take your watch off by a pool, at the beach or any place where you might not want your watch damaged, a would-be thief could ‘borrow’ your watch just long enough to NFC skim all your cards off of the device (after waiting for you to unlock your phone). Then, carefully return the watch to you. He now has all your cards and you aren’t even the wiser that the watch was even missing.
Before this happens to you, you should disable Unlock with iPhone. Though, if you’re concerned about the credit card situation at all, you might just want to delete all the cards from your Apple Watch entirely and not use the watch for Apple Pay. Even if a thief attempts to skim your card data from your watch, they won’t be able to do it if the cards aren’t even there. However, if you do choose to use Apple Pay with your watch and as a security measure, I’d suggest removing and re-adding the cards once every couple of months. Better, once a month. This forces your bank to issue a new unique Apple Pay card number for each credit card. This will invalidate old Apple Pay unique card numbers that may have skimmed from your watch.
You should always remove and re-add your cards if your Apple Watch has been out of your possession for any period of time.
Hopefully, by reading this article someone doesn’t end up taking more than your Apple Watch from you. The takeaway from this article should be to secure your device by undoing stupid Apple counter-security measures. Disable Unlock by iPhone in the Apple Watch app. Remove unnecessary cards from Apple Pay. Better, don’t use Apple Pay on the watch if you’re prone to losing things. If you’re planning on wearing the watch, don’t take it off your wrist.
I can’t even believe that Apple would stoop to putting in such an obvious security hole onto a device capable of storing credit card information (even if the numbers are unique to Apple Pay). If an Apple Watch could identify my wrist differently from someone else’s reliably 100% of the time, then this feature might be worthwhile. Because the Apple Watch can’t detect who’s wrist it is currently sitting on, this is a security compromise just waiting to happen.