Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

I missed a reasonably important call at work, and finally decided to start wearing my Series 2 Apple Watch (that I’d gotten last year mainly for running) daily for the more obvious notifications it provides – I usually have my ringer off on my phone, and have the LED flash instead.

In the time I’ve worn the Apple Watch, I’ve noticed two reasonably large security holes.

The first is that the Watch unlocks my MacBook from a surprisingly long ways away. I’ve had someone open my laptop and felt the buzz on my wrist from 10–15 feet away. The buzz on my wrist isn’t particularly strong, and, let’s face it, the laptop is still unlocked, potentially out of my sight. If I can undo the login with the watch, that UI is not clear. I’m assuming I can’t.

That’s a problem. This doesn’t quite fit any of the three forms of authentication –

There’s nothing I know (like a password),
Nothing I am (like a fingerprint), and
Not exactly anything I have either (passcode or, in this case, watch).

You just have to be near something I have. Not great.

The second is that, with my watch, my MacBook can now be opened with a four-digit code. I know, I know, we’re now at two forms of auth, something I know (code) and something I have (watch), but I often put my watch down in the middle of the day to have it charge for a few minutes rather than charge it at night. It’d be easy for someone to pick it off the charger, type in four quick digits they caught me entering after charging the day before, and be off. (And I think any reasonably competent pickpocket could lift my single-stud Apple Watch from me.)

It looks like you can use a 5 to 10 digit passcode, which I suppose I should consider. I wonder how many watch owners have noticed that option. I'm sure it was there, but I missed it when I set up my watch. Not sure I'd've thought to use it either before I thought about the flip side of unlocking my Mac.

In any event, the bottom line is that if you like to use your watch to unlock your Mac, you’ve just made your potentially T2-chip-enabled box a lot less secure.

Labels: apple, apple watch, security

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Tuesday, January 29, 2019
The Apple Watch Security Hole I missed a reasonably important call at work, and finally decided to start wearing my Series 2 Apple Watch (that I’d gotten last year mainly for running) daily for the more obvious notifications it provides – I usually have my ringer off on my phone, and have the LED flash instead. In the time I’ve worn the Apple Watch, I’ve noticed two reasonably large security holes. The first is that the Watch unlocks my MacBook from a surprisingly long ways away. I’ve had someone open my laptop and felt the buzz on my wrist from 10–15 feet away. The buzz on my wrist isn’t particularly strong, and, let’s face it, the laptop is still unlocked, potentially out of my sight. If I can undo the login with the watch, that UI is not clear. I’m assuming I can’t. That’s a problem. This doesn’t quite fit any of the three forms of authentication – There’s nothing I know (like a password), Nothing I am (like a fingerprint), and Not exactly anything I have either (passcode or, in this case, watch). You just have to be *near* something I have. Not great. The second is that, with my watch, my MacBook can now be opened with a four-digit code. I know, I know, we’re now at two forms of auth, something I know (code) and something I have (watch), but I often put my watch down in the middle of the day to have it charge for a few minutes rather than charge it at night. It’d be easy for someone to pick it off the charger, type in four quick digits they caught me entering after charging the day before, and be off. (And I think any reasonably competent pickpocket could lift my single-stud Apple Watch from me.) It looks like you can use a 5 to 10 digit passcode, which I suppose I should consider. I wonder how many watch owners have noticed that option. I'm sure it was there, but I missed it when I set up my watch. Not sure I'd've thought to use it either before I thought about the flip side of unlocking my Mac. In any event, the bottom line is that if you like to use your watch to unlock your Mac, you’ve just made your potentially T2-chip-enabled box a lot less secure. Labels: apple, apple watch, security posted by ruffin at 1/29/2019 08:15:00 AM

<< Older \| Newer >>