A video published by a group of hackers has demonstrated how a stolen Apple Watch could be used by the thief to make payments using Apple Pay without them having to authenticate the transactions in any way — as long as they are quick.
The timing vulnerability is made possible through Apple’s use of the heart rate sensor located on the back of the device to detect when the watch is being worn. When the device is taken off the wrist it will lock and prompt the user to enter a passcode in order to gain access into it again. However, there is a one-second delay in the time it takes to lock the device from the time it leaves the wrist, and it is this short window that the hackers exploit.
During this time, the gadget hackers managed to move the watch from one wrist to another without it locking, meaning they were able to make payments through Apple Pay without having to enter a passcode.
“The basic idea behind its security is that the watch can detect when it is removed from a wrist, and automatically requires a passcode to be entered if removed,” Wonder How To explains. “So, we set out to trick the sensor into thinking it’s still on a wrist while removing it.
“Taking that a step further, we wanted to see if we could use this exploit to bring up Apple Pay and make purchases with someone else’s card. We’ll cut right to the chase — we got it to work without much effort.”
A video shows how the Gadget Hacks team completed a “fraudulent” transaction using Apple Watch:
“What this means is simple; someone could potentially steal your watch by simply grasping it by the back to gain access to the information stored on it,” the publication continues. “This exploit is even easier with the pricier leather loop and milanese loop magnetic bands as they slip loose with minimal effort.”