Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Were you able to reproduce this? (Please remember to try a second time.)

  • Yes, it worked on the first or second try.

    Votes: 5 27.8%
  • No, even after two tries, I could not reproduce it.

    Votes: 13 72.2%

  • Total voters
    18

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
Update: If you're trying this, please do two things: (1) If it doesn't work, try the technique a second time in a row, and for me it always works the second time -- not sure why. (2) Can you please try something else? Forget the heart rate trick and just lift your Apple Watch off your wrist (it locks). Put it back on the wrist and unlock it, then lift it right off the wrist again. For me, it stays unlocked. It can be lifted off the wrist and back on without locking. Does that happen for you? Note that using (2) it will lock back up after a few minutes but using (1) it will not.

------

Hello all: I have been a member of these forums for a long time, and think I happened across something of interest. I am not a security researcher, but I believe that I have discovered a critical exploit that will allow an Apple Watch that has been password protected to be swapped from person to person, despite a total break in contact with skin, without causing the device to get locked. This would allow free access to data, texts, photos, access to Apple Pay, and much more. It appears to undermine the security of Apple Watch, which depends on the device locking when the device loses skin contact.

Here is a video where I show what I found:


What Watches Does it Work On?

I've tested and recreated the exploit numerous times on my Apple Watch Series 2 (Stainless Steel 42 mm) on the latest software. I also tested it with my original Apple Watch (also Stainless Steel 42 mm), and it worked there as well. This likely works on all models of Apple Watch. In other words, if this is a security issue, it has been there since the beginning.

Haven't We Seen this Before?

I don't believe so, but please let me know if I am wrong. Note that this is not the same thing as the exploit discussed in the following link, where someone sticks their finger under the heart rate sensor to trick the watch into thinking the skin contact never broke: http://m.imore.com/apple-watch-apple-pay-and-wrist-detection-what-you-need-know. Here, the exploit is based on a software issue and there is a total break in skin contact.

How Does it Work?

The technique requires, at first, an Apple Watch that is either unlocked or has maintained skin contact on a person's wrist after being unlocked. (As most Apple Watches are when being worn.)

Then you perform one step -- you open the heart rate app on your watch, and wait until it measures the heart rate and settles into a "rhythm" of detecting your heart beat. Then, you remove the watch from your wrist. It likely will not lock despite being removed from your wrist.

There are certain aspects to this that I have not fully determined yet, and which I am hoping others can test. For instance, it does seem that the timing of when you last unlocked your watch has something to do with this. It seems that if you haven't unlocked your watch in a long while, this glitch/exploit won't work at first.

If it doesn't work for you at first, lock your watch, unlock it, and test it again. It will work the second time.

Is this Normal Expected Behavior?

I don't think so. I have never read that Apple intended for the Apple Watch to be able to be removed from your wrist without it locking. If this is intentional, it seems like a bad idea.

From a personal standpoint, regardless of when I last unlocked my watch, there is no moment when I feel that its ok for the watch to be off my wrist and remain unlocked. If I want it to be off my wrist and unlocked, I would remove the watch (and it would lock) and then I would enter the passcode on my watch. I do not believe Apple ever intended for the watch to remain unlocked despite total break in skin contact and without entering a passcode.

What are the Concerns?

Well, maybe its unlikely, but the glitch could theoretically be exploited by anyone, within moments, once the technique is known. And, the exploit can be re-used indefinitely, to allow the Apple Watch to be swapped from person to person over and over without it locking. (Unless eventually disabled by Find my iPhone.)

Here is one possible real world problem that could occur: If this exploit becomes known, criminals could demand that Apple Watch owners gives their watch to them against their will. Before taking the watch off, the criminal could perform some simple software actions, then they can use the unlocked watch and gain access to all its functions. Yes, it is always true that a criminal could demand that you provide your passcode, but this would theoretically allow theft without the passcode.

Another possible scenario includes removing the watch from a sleeping or unconscious person's wrist, and using the device without permission (and without knowing the passcode).

Once the Apple Watch needs to be charged, I believe that would terminate the exploit. However, that remains a serious security problem. I believe it could be fixed with a software fix.

Why Did I Post Publicly?

I attempted to contact Apple about this, and spoke to someone with Apple "Executive Relations" but to be honest they did not seem to believe me. They refused to put me in touch with the security team that is handling zero-day bugs and exploits and paying bounties for these discoveries, and said that team operates by invite only. They would not even refer me.

Therefore, I'm publishing this in the hopes that others can test this as well, and we can determine the extent of this glitch/exploit.
 
Last edited:

BarracksSi

Suspended
Jul 14, 2015
3,902
2,664
With my SS AW0, I can't get it to happen like you describe.

I started the HR app, let it get a reading, took it off, let it dangle freely for a few seconds, and put it back on. It was locked and wouldn't do anything else until I entered my passcode.

Tried again by starting the Workout app and taking it off (would be like going for a run and somebody steals the watch from my wrist). Let it dangle a bit, then when I put it back on, it required my passcode to continue.

I also did it exactly the way you did in the video (at about 1:30, for those who want to fast forward) and it locked as soon as I took it off my wrist.
 

lordofthereef

macrumors G5
Nov 29, 2011
13,161
3,721
Boston, MA
I tired three times. But only in a series two. Didn't work. I can try a gen one when my wife gets home tonight.

Not that I don't think this is noteworthy if it actually works for others, but I wonder how this isnnuch of a security risk. Short of being incapacitated and having your Watch removed in this manner I am unsure why anyone would really need to worry. Still, if it is an actual bug, it should be remedied.
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
Can you please try something? Forget the heart rate trick. Lift your Apple Watch off your wrist (it locks). Put it back on the wrist and unlock it, then lift it right off the wrist again. For me, it stays unlocked the second time. It can then be lifted off the wrist and back on without locking. Does that happen for you guys or not?

If so, is that normal?
 
Last edited:

Feenician

macrumors 603
Jun 13, 2016
5,313
5,100
Would have been interesting to be "in on the ground floor" on this one OP but I can't reproduce by either method. Tried a few times.
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
Would have been interesting to be "in on the ground floor" on this one OP but I can't reproduce by either method. Tried a few times.

Really? Not even the thing from the "update" at the bottom of the original post (also posted right above this one)? If I can do it on both my original and my series 2 Apple Watches, I can't be the only one!
 

DeltaMac

macrumors G5
Jul 30, 2003
13,751
4,577
Delaware
The item that is constant here is: your wrist!
Maybe your full arm tat is causing the whole issue :D

Can you duplicate the same "trick" while using the AW on your other wrist?
 

LIVEFRMNYC

macrumors G3
Oct 27, 2009
8,876
10,982
Can you please try something? Forget the heart rate trick. Lift your Apple Watch off your wrist (it locks). Put it back on the wrist and unlock it, then lift it right off the wrist again. For me, it stays unlocked the second time. It can then be lifted off the wrist and back on without locking. Does that happen for you guys or not?

If so, is that normal?


Unfortunately, that worked. Able to put it on and off my wrist again without it locking. But, it doesn't stay unlocked for long, it seems like after a specific amount of time(my guess is 2-3 minutes) it locks again. Tried numerous times with the same results. Always locks again after 2-3 minutes. It's normally supposed to lock instantly every time.
 

Feenician

macrumors 603
Jun 13, 2016
5,313
5,100
Really? Not even the thing from the "update" at the bottom of the original post (also posted right above this one)? If I can do it on both my original and my series 2 Apple Watches, I can't be the only one!

I would guess you're not the only one, since you're reproducing on multiple devices, but I can repro on my series 0. Will follow the thread with interest though.

For me it's a second or two before my watch locks.
 

steve knight

macrumors 68030
Jan 28, 2009
2,735
7,180
Unfortunately, that worked. Able to put it on and off my wrist again without it locking. But, it doesn't stay unlocked for long, it seems like after a specific amount of time(my guess is 2-3 minutes) it locks again. Tried numerous times with the same results. Always locks again after 2-3 minutes. It's normally supposed to lock instantly every time.
same here after couple minutes it locked.
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
Unfortunately, that worked. Able to put it on and off my wrist again without it locking. But, it doesn't stay unlocked for long, it seems like after a specific amount of time(my guess is 2-3 minutes) it locks again. Tried numerous times with the same results. Always locks again after 2-3 minutes. It's normally supposed to lock instantly every time.

So, I'm starting to think that part of what the heart rate trick really does is the same thing as that 2nd trick I mentioned above -- I think the heart rate trick only works after being unlocked the second time within a certain period. BUT, there is an important difference between what you did above and the heart rate trick. Doing just the 2nd trick, the watch locks after the screen sleeps. If you do the heart rate trick above, the screen DOES NOT lock after sleep.
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
The item that is constant here is: your wrist!
Maybe your full arm tat is causing the whole issue :D

Can you duplicate the same "trick" while using the AW on your other wrist?

I thought of that. Haha. I did it on my wife's white arm and it had the same results.
 

LIVEFRMNYC

macrumors G3
Oct 27, 2009
8,876
10,982
So, I'm starting to think that part of what the heart rate trick really does is the same thing as that 2nd trick I mentioned above -- I think the heart rate trick only works after being unlocked the second time within a certain period. BUT, there is an important difference between what you did above and the heart rate trick. Doing just the 2nd trick, the watch locks after the screen sleeps. If you do the heart rate trick above, the screen DOES NOT lock after sleep.

That's not what I noticed with the 2nd trick. Locking after it sleeps was my first thought, but it locks after a couple of minutes even when the display is on and active. I even let it sleep a couple times, and upon waking up, it was still unlocked. No matter what I do whether the watch is sleep or active, it only locks again after a certain amount of time.

I still can't get the heart rate trick to work.
 

Julien

macrumors G4
Jun 30, 2007
11,858
5,445
Atlanta
.....and how does any of this hit and miss and working really hard at trying to make it stay unlocked for more than a couple of seconds relate to a real life 'in the wild' situation that could make the :apple:Watch insecure?:rolleyes:
 
Last edited:

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
.....and how does any of this hit and miss and working really hard at trying to make it stay unlocked for more than a couple of seconds relate to a real life 'in the wild' situation that could make the :apple:Watch insecure?:rolleyes:

Because it does work for me and others, meaning that the watch can be removed from your wrist without locking. It's not supposed to do that.

Not everyone is able to reproduce it, but I don't believe that is necessarily because it can't happen. Some people may be trying slightly different techniques than what I am instructing. On Twitter, Renée Ritchie from iMore said he can reproduce it repeatedly on watchOS 3, but not watchOS 3 .1 beta.
 

maflynn

macrumors Haswell
May 3, 2009
73,682
43,740
I just tried it on my Series 0 watch, and it locked instantly.

I'd say this is not an exploit but perhaps OP, your watch is defective in some form
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
I just tried it on my Series 0 watch, and it locked instantly.

I'd say this is not an exploit but perhaps OP, your watch is defective in some form

I'd believe that if I couldn't do it on two separate watches... I thought my own wrist was defective until I tried and did it on my wife's.
 

OCDMacGeek

macrumors 6502a
Original poster
Jul 19, 2007
581
80
That's not what I noticed with the 2nd trick. Locking after it sleeps was my first thought, but it locks after a couple of minutes even when the display is on and active. I even let it sleep a couple times, and upon waking up, it was still unlocked. No matter what I do whether the watch is sleep or active, it only locks again after a certain amount of time.

I still can't get the heart rate trick to work.

Thanks for testing. I wish I could try the heart rate one on your watch and verify why it doesn't work on yours. But the behavior that results from the second technique is also a problem, I think. Not because of some specific real world threat it poses, but just because it's a glitch, I believe.
 

teidon

macrumors 6502
Dec 22, 2009
443
213
Swapping the watch from one wrist to another (your's or someone else's) is easy. I have been doing it since I got the watch last summer when ever I want to change it to other wrist or something. Just loosen the strap, put your fingers underneath the watch so that you completely block the HR sensor and do what ever you want. As long as the HR sensor is blocked by skin (haven't tested other materials) the watch won't lock.
 

JT2002TJ

macrumors 68020
Nov 7, 2013
2,068
1,396
The trick of taking it off, putting it back on then unlocking it and remove it did leave it unlocked for me. I think it acted just like if it was on the charger and you unlock it (or off wrist). It allows you to use the watch and auto locks again. I assume when you put it back on, the reader doesn't realize you have it on yet, and thinks it is unlocking off wrist. I think this is planned behavior.

But the first way with heart rate sensor didn't work for me. This is an SS AW1 I got in the first wave of watches.
 

Aduntu

macrumors 6502a
Mar 29, 2010
599
1
I'm able to recreate it without issue on S1 when I unlock via passcode. Not able to recreate when unlocked with phone.
 
Last edited:

BlueMoon63

macrumors 68020
Mar 30, 2015
2,055
959
Is this really an exploit or glitch? If I am reading this right, I would have to take my Watch off, put it back on and unlock and then take it off again? If someone stole this from me off my arm, would they need to ask me to take it off and follow the steps?
 
  • Like
Reactions: Julien
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.