Apple Watch Vulnerability Lets Thieves Use Apple Pay Without Your PIN
The basic idea behind its security is that the Watch can detect when it is removed from a wrist, and automatically requires a passcode to be entered if removed (if one is set up, which is a requirement for using Apple Pay). So we set out to trick the sensor into thinking it's still on a wrist while removing it. Taking that a step further, we wanted to see if we could use this "exploit" to bring up Apple Pay and make purchases with someone else's card.
We'll cut right to the chase—we got it to work without much effort. Here's how we did it, and what you can do to protect yourself if someone uses this technique on you.
On the back of the Apple Watch are four specifically designed rings which contain the 4 components of the heart rate sensor—2 green/infrared LEDs and 2 photodiode sensors.
While measuring your heart rate, this sensor can tell if the watch is currently being worn. That way, if your Apple Watch is passcode-protected, you won't have to enter your passcode in every single time you want to use it (as long as it doesn't leave your wrist).
Try it out yourself. When your passcode-protected Apple Watch is on your wrist, you don't need to enter your passcode every time you want to use it. Now take the Apple Watch off your wrist. After a second, it'll lock and prompt you to enter your passcode in order to gain access to it again.
While the wrist-detection is a useful feature, did you catch the part where I mentioned that there is a one-second delay before the Apple Watch locks itself?
That one-second delay, before the Apple Watch activates its passcode-protection, cannot be patched. It's necessary to prevent the Watch from constantly re-locking itself during the split-second separations from your skin that occurs during regular use. After all, it would be pretty annoying if running, shaking your wrist, or rotating the Watch for comfort caused it to lock itself.
But here's the catch: The Watch can't tell the difference between a wrist and a finger.
Knowing that, we managed to use that one-second delay to exploit the sensor by simply touching the back of the Watch while taking it off someone's wrist. The watch remained unlocked while we held the back. In fact, it was easy enough to swap the Apple Watch from one wrist to another—all without the device locking. While we're not great at swiping wristwatches, there are several people who are.
What this means is simple: someone could potentially steal your Watch by simply grasping it by the back to gain access to the information stored on it. And since many people have no doubt put their credit cards on their Apple Watch, yes, this includes Apple Pay. The exploit is even easier with the pricier Leather Loop and Milanese Loop magnetic bands as they slip loose with minimal effort.
To test it out, we had Neil Gonzalez sync his iPhone with the Apple Watch, add a lock screen passcode, and set up his credit card for use with Apple Pay (we used a credit card because they don't require entering a PIN into the payment terminal like a debit-only card would).
We started with Neil wearing the Apple Watch on his wrist, which didn't require him to enter his passcode. My goal here is to remove the Watch from his wrist and transfer it to mine while keeping it unlocked.
I took the Apple Watch off his wrist with two hands, then quickly slid two fingers underneath the Watch case where the heart rate sensor is located, to maintain skin contact. Of course, all this had to be done within a second, before the Watch locked me out.
Then I quickly placed the Apple Watch on my wrist, secured it, and voilà! I was able to access everything on his Apple Watch without having to enter a passcode, including his credit card which was "secured" through Apple Pay.
For good measure, we even turned off Neil's iPhone, which disables pretty much everything on the Apple Watch—except for Apple Pay. But just to make sure we weren't missing some back-up security feature, we headed to Walgreens to put this exploit into action. With the Apple Watch on my wrist, I was able to bring up Apple Pay and make a purchase with Neil's credit card without any trouble.
Yea, this was much easier than I thought (and would've hoped).
Obviously this method of stealing an Apple Watch, all while maintaining skin contact underneath it and running away, is highly unlikely unless you're hanging out with magicians, pickpockets, or commute on crowded trains. Still, it's definitely something to be aware of and protect yourself from.
- Set a Passcode
While we did show how to exploit a passcode-protected Apple Watch, we still recommend you set one. Without a passcode, it's a guarantee that if your Watch is stolen, the thief will be able to access all of the information on it, including Apple Pay. Also, thieves can wipe your Apple Watch and restore it as their own, so make sure to set a passcode—and not one of those generic 1234 ones.
- Remove Apple Pay
If your Apple Watch gets misplaced, the first thing you should do is remove your credit cards from Apple Pay directly from the Apple Watch application on your iPhone. That way, if someone has it, they at least won't be able to use your credit card to make purchases.
Unfortunately for this method to work, the Apple Watch will have to be in range of your iPhone. Otherwise, you'll have to log into your iCloud account online, go to Settings -> My Devices, choose your Watch, then click on "Remove All" to wipe the slate clean. Your cards will still be visible on the Watch, but only the last 4 digits of the number. No other portion of that number is saved on the Watch, and each card is associated with a device-specific ID that Apple deactivates on their server.
We played with this exploit for hours, trying to see other ways in which we could lift the Apple Watch without triggering the passcode. If you're really careful, you can actually unhinge the band and slowly lift the Apple Watch up, because it seems that the accelerometer also plays a part in locking the display.
If you do it slowly enough while the Watch's display is active, you can keep it unlocked and place it on your wrist, but it didn't work consistently well enough for us to state it as anything more than an off-occurrence.
We also noticed that sometimes the Apple Watch would stay completely unlocked, even after removing my fingers from the sensor. While this didn't happen every single time, it did happen twice, and you can check out more about that over at MacRumors.
Aside from this "fingergate" exploit, the Apple Watch is actually a pretty secure device. It doesn't store too much information, and even then, it's difficult to access any of it if the iPhone that's paired to it is out of range or turned off—except of course for Apple Pay!
This article serves more as a warning to show you what thieves could potentially do when stealing your Apple Watch. It's difficult to see this method working for everyday thieves, but it could be used against someone who's drunk and unaware, out at a bar or a club, or otherwise unconscious.
I can't count how many times I've had someone try to lift my iPhone or wallet from me when out at a noisy and crowded bar, so what's going to stop them from trying it on my Watch?
All it takes is someone to get a little too drunk, and out of the darkness comes a thief who can easily remove your Apple Watch, keep their fingers underneath the sensor, and use your credit card to buy everyone a drink at the bar.