Pages

Tuesday, January 29, 2019

The Apple Watch Security Hole

I missed a reasonably important call at work, and finally decided to start wearing my Series 2 Apple Watch (that I’d gotten last year mainly for running) daily for the more obvious notifications it provides – I usually have my ringer off on my phone, and have the LED flash instead.

In the time I’ve worn the Apple Watch, I’ve noticed two reasonably large security holes.

The first is that the Watch unlocks my MacBook from a surprisingly long ways away. I’ve had someone open my laptop and felt the buzz on my wrist from 10–15 feet away. The buzz on my wrist isn’t particularly strong, and, let’s face it, the laptop is still unlocked, potentially out of my sight. If I can undo the login with the watch, that UI is not clear. I’m assuming I can’t.

That’s a problem. This doesn’t quite fit any of the three forms of authentication

  • There’s nothing I know (like a password),
  • Nothing I am (like a fingerprint), and
  • Not exactly anything I have either (passcode or, in this case, watch).

You just have to be near something I have. Not great.

The second is that, with my watch, my MacBook can now be opened with a four-digit code. I know, I know, we’re now at two forms of auth, something I know (code) and something I have (watch), but I often put my watch down in the middle of the day to have it charge for a few minutes rather than charge it at night. It’d be easy for someone to pick it off the charger, type in four quick digits they caught me entering after charging the day before, and be off. (And I think any reasonably competent pickpocket could lift my single-stud Apple Watch from me.)

It looks like you can use a 5 to 10 digit passcode, which I suppose I should consider. I wonder how many watch owners have noticed that option. I'm sure it was there, but I missed it when I set up my watch. Not sure I'd've thought to use it either before I thought about the flip side of unlocking my Mac.

In any event, the bottom line is that if you like to use your watch to unlock your Mac, you’ve just made your potentially T2-chip-enabled box a lot less secure.