Possible Apple Watch/Apple Pay Security Flaw Discovered

[Maura]

BGR writes today of a worrying new security flaw that has been discovered by a blogger that appears to enable thieves to use Apple Pay on a stolen Apple Watch without having to enter the original owner’s PIN code.

The apparent vulnerability appears to be the result of the way in which the Apple Watch uses sensors to detect when the owner is wearing it, and thus eliminates the need to input the security code when the Watch is being worn, and also lets the user make payments with Apple Pay without having to input a PIN.

​

When a Watch is removed from the wrist the sensors detect this and PIN security is enabled, and this is where the possible security flaw occurs, as there is a delay of around a second when the Watch is taken off the wrist before PIN security is re-enabled. Also, the sensors can’t tell the difference between a wrist and a finger, so a thief could, in theory, snatch a Watch from someone’s wrist, then cover the sensors so that PIN security remains disabled.

As the video shows, it doesn’t work every time, but even so, it’s still a flaw that Apple will need to deal with quickly.

Source: Apple Watch Security Flaw Thieves can continue to use Apple Pay BGR

 

[scifan57]

First the thief has to spend several seconds getting the watch off of the victims wrist, without the sensors losing contact with the skin. Then they have to hold their finger on the sensors until they can put the watch on their own wrist. All this would be almost impossible to do in public without being noticed.