Watch OS 1.0 lacks the necessary security features to dissuade thieves

By , May 13, 2015

Erase all content and settings Apple Watch

The Apple Watch contains security measures to prevent thieves from accessing your data, but it doesn’t include the necessary features to dissuade thieves from trying to steal your device to begin with.

The problem stems from the lack of an Activation Lock-like feature on Watch OS 1.0.

Unlike the iPhone, if someone steals your Apple Watch, they can easily reset the device (bypass the passcode), and pair it with a new iPhone logged in to a different iCloud account. In other words, it’s totally feasible to steal an Apple Watch and set it up on a different device as if you just purchased it from an Apple Store.

As my colleague Timothy Reavis pointed out earlier in our backchannel chatroom, the Apple Watch has a security problem that we haven’t had to worry about for almost two years on iOS. It’s not a security problem from a user data standpoint, but it is a security issue from a device theft standpoint.

The fact that the Apple Watch lacks Activation Lock is an encouragement to thieves. It means that they stand to make a higher profit, as the device that they’re stealing is totally usable for whoever decides to buy the stolen property. Even if the thief doesn’t plan on reselling the Apple Watch, they can simply decide to use it with their own iPhone.

One could make the argument that we dealt with this problem on the iPhone for years, and that’s true. But now that we’ve had Activation Lock for almost two years on iOS, it feels like a step backwards.

What is Activation Lock?

Activation Lock is a feature first introduced in iOS 7 that prevents an iOS device from being activated after being reset without first disabling Find My iPhone. It was a direct response to the alarming amount of iPhone thefts at the time.

With Activation Lock, the only way to disable Find My iPhone is to enter the username and password used to enable the feature, regardless if the device was factory reset or not.

That presents a big problem for thieves. If they can’t disable Find My iPhone, then the device can’t be activated and used as intended, thus lessening the resale value of stolen iOS devices.

The feature has been a large success, as figures state that thefts of iPhone and iPads have been reduced significantly since the security measure was introduced. In fact, as a result of Activation Lock, iPhone thefts have dropped as much as 50% in some locales, much to the delight of governmental authorities.

How a thief can reset your Apple Watch

Sadly, the Apple Watch software has no such security measure at this point. It’s extremely easy to reset an Apple Watch to default settings, bypassing the passcode, and pairing it with a different iPhone.

In fact, I simulated this by resetting my own Apple Watch that was paired with my iPhone 6 Plus, and paired it with my iPhone 5s which is signed in using a different Apple ID.

Needless to say, I was able to get my Apple Watch paired and working on a new device without any stumbling blocks. There was no request to verify the Apple ID that I was using previously, and absolutely nothing present in Watch OS 1.0 to prevent a thief from stealing my watch, resetting it, and pairing it with their own device.

Apple Watch Reset

Since news about Activation Lock, or the lack thereof, likely travels fast among thievery circles, it’s important to keep an eye on your Apple Watch and keep yourself out of precarious situations if at all possible.

A possible solution

True, the Apple Watch doesn’t have the ability to establish its own dedicated Wi-Fi or cellular connection, so a proper Find My iPhone-like solution isn’t in the cards. At the very least, it would seem that Apple could make it so that the device checks against the Apple ID of the last paired device, and requires the proper credentials before un-pairing with that device.

Apple ID Request Apple Watch App

Since the Apple Watch requests your Apple ID after pairing with your iPhone, perhaps Watch OS could store that ID, and request its password whenever someone attempts to un-pair from the iPhone or reset the device. Obviously, that’s a very high-level explanation of a potential solution to the problem, and Apple engineers will have to figure out the particulars of the solution.

In the meantime

The positive spin that we can put on this is that the Apple Watch does protect your data. If you have a passcode lock on the device, which we wholeheartedly recommend, at least it will prevent the thief from accessing your personal data on the device.

As to when Apple will implement some sort of security measure like Activation Lock in Watch OS, I’d say it’s only a matter of time. Remember, it took Apple many years before it finally added Activation Lock to the iPhone and iPad with iOS 7, so while it’s disappointing not to have an equivalent feature on Watch OS 1.0, we should keep in mind that the iPhone was just as vulnerable a mere two years ago.

Hopefully it won’t take six additional iterations of Watch OS to implement the necessary security features, but until that time comes, be safe out there my friends.

What do you think?

  • Share:
  • Follow:
  • Imad Ghandour

    Honestly this is unsettling, unlike iOS which has activation lock however since we can’t in this point can’t connect the Apple Watch to a Computer is there any other way really to reset an Apple Watch without this method?! It isn’t like you can put it in DFU mode and restore it…and to my knowledge I dont know if this is true but it is not possible to pair an Apple Watch to phone if locked or after entering the passcode in too many times correct?

  • James G

    They’ll fix this eventually. My guess is they just didn’t include it in the first shipped Watch OS so they could get it out. Probably a lower priority.

    But thanks for letting thieves know. Jk.

  • pnh

    It’s also a little harder to steal a watch that should be secured to your wrist than a phone which you may have lying on a table.

    • Kyle Warwick-Mathieu

      Good point. A watch can’t easily be stolen as a phone can because your watch is always on you unless you are someone who leaves their watch lying about

      • Rehat Kathuria

        Watch thieves are just as prevalent as phone thieves. They’re been around a lot longer than phones have.

  • White Michael Jackson

    Nice first person I see with a gold edition, im knocking them out, wiping the data and selling it on craigslist.

  • asch3n

    Thanks for posting about this, definitely something to make people out there aware of. Hopefully a similar feature to activation lock will be added in the next couple months.

  • Shin0bi71

    Thanks for the insight Jeff I was wondering about this issue with my apple watch

  • mjtomlin

    This is a ridiculous rant… Do current watches have an anti-theft security feature? No they don’t. Why should the Apple Watch? The data on all iOS devices are automatically encrypted when you set a passcode, this is true for the Apple Watch as well.

    • Michel Plungjan

      Not necessarily that ridiculous. The Apple Watch is very recognisable and with the knowledge that it can be easily reset, a bigger target than a Seiko or a possibly fake Panarai…

      • baerjamin

        It is THAT ridiculous! If there is an expectation that there be an anti-theft protection on my Apple Watch then why don’t we have the very same expectation for a Patek Philip? Those watches go for $50K+! The only expectation anyone with a smart watch should have is that their data is safe. I have no expectation that because I bought a Sony TV for $3,000 that Sony makes sure there is technology in the set that, if stolen, makes it unusable. This article and the expectations it set is absolutely insane.

      • Chao Yang

        Dude…how likely is your Sony TV being stolen? Theft need break in your house first, then take it with them without being noticed from other people. How much of your personal data stored on your TV anyway? And how much of your personal stuff on your Apple Watch? If the Apple Watch is more personal devices than iPhone, it need more security measure than iPhone. This rant is not really silly. Would you say this is necessary when Apple adds this feature in later days?

  • Dhoklastellar Fafda®™

    Hey Jeff, did you look at the flip side? Suppose your paired iphone got lost/destroyed? Does that mean the watch also gets ‘locked’? That means Apple gets saddled with requests from legitimate and illegitmate watch owners – “unlock my watch please”

    So no, no activation lock needed on a watch. But a remote lockdown from the iphone (so that your watch is not used to make payments) would be much helpful.

    • Eugene Kim

      Don’t think you read the article. Read the second to last section titled “A Possible Solution”.

  • Gregg

    BREAKING NEWS: Watchmakers Worldwide Realize Their Watches Could Be Stolen and Not Recovered.

    The Canadian Press
    Published Thursday, May 14, 2015 5:20AM EDT
    Last Updated Thursday, May 14, 2015 10:41AM EDT

    Geneva, Switzerland — Swiss watchmakers and their suppliers were horrified to find out through a blog post that their product, too, could be stolen. To the customers’ dismay, they did not have a “Find My Patek Philippe” or “Find My Swatch” apps.

    “I really don’t know what to to”, said one Rolex owner. “I purchased my quality watch from a street vendor when visiting New York City last month. I did not realize that if someone stole my watch, I could not track it on the Internet.” Similar thoughts were expressed by many shoppers at Walmart and Target.

    A consortium of Swiss watchmakers felt like they were caught with their pants down, because they did not foresee this terrible laps in security. Apple could not be reached for comment.

  • baerjamin

    This is completely a red herring. As long as the thief doesn’t get access to my data the entire expectation that a thief can steal my watch and reset it and then use it is, well, not an unusual expectation. This is an identical expectation for a non-smart watch as it is for my car, my clock radio, my washer and dryer and pretty much everything else I own. Again, as long as they don’t get my data I’m not sure I’d get all upset at Apple or anyone else over this. This is very much unlike a phone with a data at rest problem.

    Besides 99% of the time the watch is attached to my wrist so I’m fairly certain that it’s unlikely to get stolen in the first place…

  • You forgot the part about how the thief also needs to steal your iPhone. From the Apple support site under ‘Sell, give away, or lose Apple Watch’: “If you try to erase Apple Watch when it’s out of range of iPhone, it will be erased if it comes back into range.” I notice you didn’t mention anything about your iPhone 6 Plus being in airplane mode, so I’m guessing it was on and in range. Granted, if someone also steals your iPhone (and Watch charging cable), this doesn’t help much, but it blocks this overly simplified approach.

  • Marcelo

    Apple could implement Find My iPhone to Apple Watch by allowing the Watch to use any other iPhone’ bluetooth to send news of where it is. Tile does that for their tags, where Tag apps installed in any other user phone can send information about your tags to the cloud. The chances that the stolen watch will always be close to an iPhone are not small and the ‘iPhone network’ could give away the location as the Watch moves in the globe.

  • Activation lock is great feature which led to reduced iPhone thefts. The solution suggested above makes sense. Hope Apple adds an update with the solution.

  • No need to be passive aggressive about it. We are well aware of this so-called feature as we actually posted about it a few days ago. Regardless of Apple having a support document about it, they still should make it harder (impossible?) for someone to restore your watch without having to enter any kind of password.

  • bcollett

    There are way more watches that are way more expensive than the Apple Watch. Watch thieves won’t waste their time – only the gold models would be worth the effort.