Wednesday, 13 May 2015

The Apple Watch is basically hacker proof

New flashy Apple device, new potential for trouble. Or is it?
Honest, upstanding citizens like you probably see the Apple Watch as a beautiful hybrid of jewelry and technology. But like anything that's shiny, expensive, and contains sensitive information like your credit card details, the Apple Watch is prone to being targeted by miscreants.

But a few obstacles stop thieves and hackers from getting to your sensitive data pretty effectively. And as it turns out, the Apple Watch is essentially hacker proof.

Senior security researcher Patrick Nielsen from Kaspersky Labs spoke with Business Insider, saying that "the Apple Watch's biggest security benefit is that it's so minimal. A lot of the processing that goes on on the Watch is actually happening on the iPhone," meaning the that your iPhone holds and handles most of the sensitive information that a data thief would want. The Watch essentially functions as a secondary wrist-worn display for your iPhone rather than acting as a standalone device.

Right off the bat, a data thief should theoretically have much more interest in your iPhone than your Apple Watch.

However, Nielsen noted that there are some exceptions like your Apple Pay credentials that are locally stored on the Watch that let you make mobile payments without your iPhone.

"It's theoretically possible for someone to steal an Apple Watch and steal your Apple Pay credentials," he says.

Realistically, however, a data thief would need to guess your passcode just to unlock your Watch after it's been taken off your wrist before using your Apple Pay. That's because the Watch's sensors detect whether or not it's in contact with skin. It'll remain unlocked as long as it's on your wrist, but it'll lock itself the moment you take it off and it'll request a passcode to unlock it again.
The Apple Watch can't do anything but tell you the time until you enter the passcode after strapping it on. After you enter your passcode, it remains authenticated so you don't have to worry about punching the code in every time you want to do something. It's actually an easier way to use Apple Pay because you don't have to go through the extra step of authenticating the payment with your fingerprint. It also enables you to use Apple Pay on the iPhone 5 and 5C, which don't have fingerprint sensors.

While the Watch's passcode is secure and extremely difficult to break through, Nielsen says "the biggest security weakness of the Watch is the user's choice of passcode. It's not exactly rare for people to use pin codes like 1234, an astonishing amount of people still use those common permutations."

Thieves have up to 10 attempts to get the passcode right. It might not seem like a lot, but that's 10 chances for a thief to try the 10 most common passcodes, which anyone can find with a quick internet search.

But if a someone guesses wrong all 10 times, the Watch erases any stored data and locks itself into a pricey paperweight that's of no use to a data thief.

Even if a thief guesses your passcode, or if he/she obtained it from you by force or sleight of hand, you can wipe your Apple Pay data from the Apple Watch remotely using your iPhone or computer and logging into your iCloud account.

There's also a slightly less delicate way of getting to your sensitive data by using brute force. A hacker could use a brute-force attack with a hacking computer to decipher the encrypted passcode. But Nielsen says such a process is time consuming, extremely difficult, results in the Watch becoming "compromised" (a nice way of saying destroyed), and only few people have the ability to do so.

Apart from poor passcodes or gutting your Apple Watch medieval-style, there's a way for hackers to exploit your data without your knowing.

According to Nielsen, it's possible for eavesdroppers to intercept the Bluetooth or WiFi communications between an Apple Watch and your iPhone, and potentially access and manipulate any and all information that travels between the two devices.

However, he reassures that "major problems with the communications method used by the Watch and iPhone" are not known at this time, "but given the complexity of the protocols and software, it is likely that problems will be discovered in the future, and will be remedied through operating system updates."
Just to be safe, Nielsen suggests:

Never do the initial setup/pairing of your devices in public. In general, for new smart devices, the most security-sensitive phase is the setup/pairing phase.
Don't connect to public or other untrusted Wi-Fi networks unless absolutely necessary. Public Wi-Fi networks are convenient, but their security is a mess.
Make sure you install operating system updates as soon as they come out. Most of the time, these contain critical security fixes that prevent newly discovered attacks against the device.
And for the love of technology, please set up a strong passcode.

No comments:

Post a Comment