The Apple Watch contains security measures to prevent thieves from accessing your data, but it doesn’t include the necessary features to dissuade thieves from trying to steal your device to begin with.
The problem stems from the lack of an Activation Lock-like feature on Watch OS 1.0.
Unlike the iPhone, if someone steals your Apple Watch, they can easily reset the device (bypass the passcode), and pair it with a new iPhone logged in to a different iCloud account. In other words, it’s totally feasible to steal an Apple Watch and set it up on a different device as if you just purchased it from an Apple Store.
As my colleague Timothy Reavis pointed out earlier in our backchannel chatroom, the Apple Watch has a security problem that we haven’t had to worry about for almost two years on iOS. It’s not a security problem from a user data standpoint, but it is a security issue from a device theft standpoint.
The fact that the Apple Watch lacks Activation Lock is an encouragement to thieves. It means that they stand to make a higher profit, as the device that they’re stealing is totally usable for whoever decides to buy the stolen property. Even if the thief doesn’t plan on reselling the Apple Watch, they can simply decide to use it with their own iPhone.
One could make the argument that we dealt with this problem on the iPhone for years, and that’s true. But now that we’ve had Activation Lock for almost two years on iOS, it feels like a step backwards.
What is Activation Lock?
Activation Lock is a feature first introduced in iOS 7 that prevents an iOS device from being activated after being reset without first disabling Find My iPhone. It was a direct response to the alarming amount of iPhone thefts at the time.
With Activation Lock, the only way to disable Find My iPhone is to enter the username and password used to enable the feature, regardless if the device was factory reset or not.
That presents a big problem for thieves. If they can’t disable Find My iPhone, then the device can’t be activated and used as intended, thus lessening the resale value of stolen iOS devices.
The feature has been a large success, as figures state that thefts of iPhone and iPads have been reduced significantly since the security measure was introduced. In fact, as a result of Activation Lock, iPhone thefts have dropped as much as 50% in some locales, much to the delight of governmental authorities.
How a thief can reset your Apple Watch
Sadly, the Apple Watch software has no such security measure at this point. It’s extremely easy to reset an Apple Watch to default settings, bypassing the passcode, and pairing it with a different iPhone.
In fact, I simulated this by resetting my own Apple Watch that was paired with my iPhone 6 Plus, and paired it with my iPhone 5s which is signed in using a different Apple ID.
Needless to say, I was able to get my Apple Watch paired and working on a new device without any stumbling blocks. There was no request to verify the Apple ID that I was using previously, and absolutely nothing present in Watch OS 1.0 to prevent a thief from stealing my watch, resetting it, and pairing it with their own device.
Since news about Activation Lock, or the lack thereof, likely travels fast among thievery circles, it’s important to keep an eye on your Apple Watch and keep yourself out of precarious situations if at all possible.
A possible solution
True, the Apple Watch doesn’t have the ability to establish its own dedicated Wi-Fi or cellular connection, so a proper Find My iPhone-like solution isn’t in the cards. At the very least, it would seem that Apple could make it so that the device checks against the Apple ID of the last paired device, and requires the proper credentials before un-pairing with that device.
Since the Apple Watch requests your Apple ID after pairing with your iPhone, perhaps Watch OS could store that ID, and request its password whenever someone attempts to un-pair from the iPhone or reset the device. Obviously, that’s a very high-level explanation of a potential solution to the problem, and Apple engineers will have to figure out the particulars of the solution.
In the meantime
The positive spin that we can put on this is that the Apple Watch does protect your data. If you have a passcode lock on the device, which we wholeheartedly recommend, at least it will prevent the thief from accessing your personal data on the device.
As to when Apple will implement some sort of security measure like Activation Lock in Watch OS, I’d say it’s only a matter of time. Remember, it took Apple many years before it finally added Activation Lock to the iPhone and iPad with iOS 7, so while it’s disappointing not to have an equivalent feature on Watch OS 1.0, we should keep in mind that the iPhone was just as vulnerable a mere two years ago.
Hopefully it won’t take six additional iterations of Watch OS to implement the necessary security features, but until that time comes, be safe out there my friends.
What do you think?