Apple Watch theft report: Is the Apple Watch secure, and how easy is it to reset and use a stolen Apple Watch?

Is the Apple Watch a theft risk? We look at the hardware and software security on the Apple Watch

Is the Apple Watch secure? I've heard that it's a theft or mugging risk, but how hard would it be for a thief to reset the Apple Watch and sell it on?

Security is a big concern for many Apple Watch owners. If you're going to spend £300 or more on a new Apple device you don't want to lose it, or have it stolen. So just how secure is the Apple Watch, and how much of a challenge would it present to a thief?

We've been putting the Apple Watch to the test for a few days. There's the physical security inherent in a wearable device; then there's data loss, which for some people is more important than other factors. (As journalists we're privy to a few secrets, but nothing earth shattering, but some people work in jobs where losing data is a criminal offence.) Do Apple Watch owners need to worry, and what can they do to improve the device's security?

See also:

How to force quit an Apple Watch app

How to repair a scratched, smashed or broken Apple Watch

How to set up a new Apple Watch

How secure is the Apple Watch?

First, let's talk a little about physical security. The Apple Watch sport model's band clasps around your wrist, clips on to a small metal stud and tucks through a hole in the strap. This is the most popular model, and it's surprisingly easy to remove - although it doesn't fall off no matter how much you fling it around.

Other Apple Watch straps use magnetic clasps or traditional buckles, and palming these off would call for tremendous skill from a potential pickpocket.

So much for the physical stage of theft. But a more important consideration is whether a thief can use the watch once it's stolen, and this depends on the passcode lock.

Apple Watch: Using a passcode lock

The Apple Watch interface is protected by a four-digit passcode that Apple heavily suggests you use during setup. (Alternatively, you can set a longer passcode, but this will be input on the iPhone rather than the Apple Watch.) You can skip the passcode, but we imagine most people will use one.

The passcode is requested when you first put the Apple Watch on, and the Apple Watch remains unlocked while you are wearing it. The sensors on the back of the Apple Watch detect when it is being worn, and use this as its cue to request a passcode, or allow you to continue as normal. Once you've removed the watch, it requests the passcode next time it wakes up.

Apple Watch sensor security flaw

Somebody recently discovered a flaw in the Apple's Watch 'no passcode while worn' system. If you take an Apple Watch off someone's wrist but keep your fingers on the rear of the device, then the Apple Watch thinks it's still being worn. You don't need to hold it in any particularly accurate or skillful way, either: just keep your fingers loosely around the rear of the Apple Watch and it won't request the passcode.

This is a concern by itself, but what made matters more serious was that selecting Settings > General > Reset > Erase All Contents and Settings would completely wipe the device, enabling a thief to easily sell it on.

Apple has fixed this latter flaw, although the ultra-security-conscious should know that it's still possible to briefly check the contents of the Apple Watch using the sensor trick - at least while they're still in range of your iPhone. Spies and civil servants might want to worry about the loss of any vital data on their smartwatch, but the rest of us don't really need to worry on this account.

Apple Watch passcode and the Watch OS 1.0.1 security update

Apple has issued a recent update to the Apple Watch that fixes the sensor security flaw. We updated to Watch OS 1.0.1 and tested it out. The Apple Watch now requests the four-digit passcode to perform a wipe & reset regardless of whether it's being worn or not.

Prior to the Watch OS 1.0.1 update we were able to remove an Apple Watch from somebody's wrist and reset it without knowing their passcode. We can't now repeat this trick.

Apple's clearly moving fast to prevent a "Watchgate'" incident from forming.

Is it possible to crack an Apple Watch passcode?

At the moment we know of no way to crack the four-digit Apple Passcode, although we imagine security experts are testing it. The Apple Watch does contain a hidden 6-pin diagnostic port underneath the strap. This may enable nefarious souls (or more likely, forensics experts) to connect to the device and crack the passcode.

See also: How to crack an iPhone passcode

As far as we know, there is no software available that can bypass the four-digit code on an Apple Watch, although it's only a matter of time. This software tends to be highly regulated and is hard to get hold of. Also, you have to be highly skilled to use it (it's not a common fate for stolen Apple devices to be hacked).

If you are particularly concerned then choose a 10-digit passcode. This will be much harder - practically impossible, even - for a cracker to get past once they have your Apple Watch.

Read our Apple Watch tutorials:

How to set up a new Apple Watch | How to make Apple Watch battery last longer | How to use Siri on Apple Watch | How to use Digital Touch on Apple Watch | How to reply to a text on Apple Watch | How to answer a call on Apple Watch | How to change watch faces on Apple Watch | How to use the Music app on Apple Watch | How to use Maps on Apple Watch | How to use the Apple Watch Activity app | How to use the Apple Watch Workout app | How to take a screenshot on Apple Watch | How to make the Apple Watch a more accurate fitness tracker | How to manage Apple Watch notifications | How to use Apple Pay on the Apple Watch

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicssecurity

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lou Hattersley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place