Update: If you're trying this, please do two things: (1) If it doesn't work, try the technique a second time in a row, and for me it always works the second time -- not sure why. (2) Can you please try something else? Forget the heart rate trick and just lift your Apple Watch off your wrist (it locks). Put it back on the wrist and unlock it, then lift it right off the wrist again. For me, it stays unlocked. It can be lifted off the wrist and back on without locking. Does that happen for you? Note that using (2) it will lock back up after a few minutes but using (1) it will not.
------
Hello all: I have been a member of these forums for a long time, and think I happened across something of interest. I am not a security researcher, but I believe that I have discovered a critical exploit that will allow an Apple Watch that has been password protected to be swapped from person to person, despite a total break in contact with skin, without causing the device to get locked. This would allow free access to data, texts, photos, access to Apple Pay, and much more. It appears to undermine the security of Apple Watch, which depends on the device locking when the device loses skin contact.
Here is a video where I show what I found:
What Watches Does it Work On?
I've tested and recreated the exploit numerous times on my Apple Watch Series 2 (Stainless Steel 42 mm) on the latest software. I also tested it with my original Apple Watch (also Stainless Steel 42 mm), and it worked there as well. This likely works on all models of Apple Watch. In other words, if this is a security issue, it has been there since the beginning.
Haven't We Seen this Before?
I don't believe so, but please let me know if I am wrong. Note that this is not the same thing as the exploit discussed in the following link, where someone sticks their finger under the heart rate sensor to trick the watch into thinking the skin contact never broke: http://m.imore.com/apple-watch-apple-pay-and-wrist-detection-what-you-need-know. Here, the exploit is based on a software issue and there is a total break in skin contact.
How Does it Work?
The technique requires, at first, an Apple Watch that is either unlocked or has maintained skin contact on a person's wrist after being unlocked. (As most Apple Watches are when being worn.)
Then you perform one step -- you open the heart rate app on your watch, and wait until it measures the heart rate and settles into a "rhythm" of detecting your heart beat. Then, you remove the watch from your wrist. It likely will not lock despite being removed from your wrist.
There are certain aspects to this that I have not fully determined yet, and which I am hoping others can test. For instance, it does seem that the timing of when you last unlocked your watch has something to do with this. It seems that if you haven't unlocked your watch in a long while, this glitch/exploit won't work at first.
If it doesn't work for you at first, lock your watch, unlock it, and test it again. It will work the second time.
Is this Normal Expected Behavior?
I don't think so. I have never read that Apple intended for the Apple Watch to be able to be removed from your wrist without it locking. If this is intentional, it seems like a bad idea.
From a personal standpoint, regardless of when I last unlocked my watch, there is no moment when I feel that its ok for the watch to be off my wrist and remain unlocked. If I want it to be off my wrist and unlocked, I would remove the watch (and it would lock) and then I would enter the passcode on my watch. I do not believe Apple ever intended for the watch to remain unlocked despite total break in skin contact and without entering a passcode.
What are the Concerns?
Well, maybe its unlikely, but the glitch could theoretically be exploited by anyone, within moments, once the technique is known. And, the exploit can be re-used indefinitely, to allow the Apple Watch to be swapped from person to person over and over without it locking. (Unless eventually disabled by Find my iPhone.)
Here is one possible real world problem that could occur: If this exploit becomes known, criminals could demand that Apple Watch owners gives their watch to them against their will. Before taking the watch off, the criminal could perform some simple software actions, then they can use the unlocked watch and gain access to all its functions. Yes, it is always true that a criminal could demand that you provide your passcode, but this would theoretically allow theft without the passcode.
Another possible scenario includes removing the watch from a sleeping or unconscious person's wrist, and using the device without permission (and without knowing the passcode).
Once the Apple Watch needs to be charged, I believe that would terminate the exploit. However, that remains a serious security problem. I believe it could be fixed with a software fix.
Why Did I Post Publicly?
I attempted to contact Apple about this, and spoke to someone with Apple "Executive Relations" but to be honest they did not seem to believe me. They refused to put me in touch with the security team that is handling zero-day bugs and exploits and paying bounties for these discoveries, and said that team operates by invite only. They would not even refer me.
Therefore, I'm publishing this in the hopes that others can test this as well, and we can determine the extent of this glitch/exploit.
------
Hello all: I have been a member of these forums for a long time, and think I happened across something of interest. I am not a security researcher, but I believe that I have discovered a critical exploit that will allow an Apple Watch that has been password protected to be swapped from person to person, despite a total break in contact with skin, without causing the device to get locked. This would allow free access to data, texts, photos, access to Apple Pay, and much more. It appears to undermine the security of Apple Watch, which depends on the device locking when the device loses skin contact.
Here is a video where I show what I found:
What Watches Does it Work On?
I've tested and recreated the exploit numerous times on my Apple Watch Series 2 (Stainless Steel 42 mm) on the latest software. I also tested it with my original Apple Watch (also Stainless Steel 42 mm), and it worked there as well. This likely works on all models of Apple Watch. In other words, if this is a security issue, it has been there since the beginning.
Haven't We Seen this Before?
I don't believe so, but please let me know if I am wrong. Note that this is not the same thing as the exploit discussed in the following link, where someone sticks their finger under the heart rate sensor to trick the watch into thinking the skin contact never broke: http://m.imore.com/apple-watch-apple-pay-and-wrist-detection-what-you-need-know. Here, the exploit is based on a software issue and there is a total break in skin contact.
How Does it Work?
The technique requires, at first, an Apple Watch that is either unlocked or has maintained skin contact on a person's wrist after being unlocked. (As most Apple Watches are when being worn.)
Then you perform one step -- you open the heart rate app on your watch, and wait until it measures the heart rate and settles into a "rhythm" of detecting your heart beat. Then, you remove the watch from your wrist. It likely will not lock despite being removed from your wrist.
There are certain aspects to this that I have not fully determined yet, and which I am hoping others can test. For instance, it does seem that the timing of when you last unlocked your watch has something to do with this. It seems that if you haven't unlocked your watch in a long while, this glitch/exploit won't work at first.
If it doesn't work for you at first, lock your watch, unlock it, and test it again. It will work the second time.
Is this Normal Expected Behavior?
I don't think so. I have never read that Apple intended for the Apple Watch to be able to be removed from your wrist without it locking. If this is intentional, it seems like a bad idea.
From a personal standpoint, regardless of when I last unlocked my watch, there is no moment when I feel that its ok for the watch to be off my wrist and remain unlocked. If I want it to be off my wrist and unlocked, I would remove the watch (and it would lock) and then I would enter the passcode on my watch. I do not believe Apple ever intended for the watch to remain unlocked despite total break in skin contact and without entering a passcode.
What are the Concerns?
Well, maybe its unlikely, but the glitch could theoretically be exploited by anyone, within moments, once the technique is known. And, the exploit can be re-used indefinitely, to allow the Apple Watch to be swapped from person to person over and over without it locking. (Unless eventually disabled by Find my iPhone.)
Here is one possible real world problem that could occur: If this exploit becomes known, criminals could demand that Apple Watch owners gives their watch to them against their will. Before taking the watch off, the criminal could perform some simple software actions, then they can use the unlocked watch and gain access to all its functions. Yes, it is always true that a criminal could demand that you provide your passcode, but this would theoretically allow theft without the passcode.
Another possible scenario includes removing the watch from a sleeping or unconscious person's wrist, and using the device without permission (and without knowing the passcode).
Once the Apple Watch needs to be charged, I believe that would terminate the exploit. However, that remains a serious security problem. I believe it could be fixed with a software fix.
Why Did I Post Publicly?
I attempted to contact Apple about this, and spoke to someone with Apple "Executive Relations" but to be honest they did not seem to believe me. They refused to put me in touch with the security team that is handling zero-day bugs and exploits and paying bounties for these discoveries, and said that team operates by invite only. They would not even refer me.
Therefore, I'm publishing this in the hopes that others can test this as well, and we can determine the extent of this glitch/exploit.
Last edited: