Following the publication of a U.S. patent that mentioned a fingerprint sensor for the Apple Watch, rumors have been rife that Touch ID will be coming to the wearable soon. If you’ve just received a gift of an Apple Watch 5, then rumors won’t help you secure it (or an Apple Watch 3 or 4 for that matter) from those who would use it to unlock other devices, perform Apple Pay transactions or access data. These tips, however, will.
Do you need to secure your Apple Watch?
Although one recent study has suggested that Apple is less trustworthy than Google when it comes to data encryption, that is something of an outlier. Apple has a pretty decent security record when it comes to the iPhone and its iOS operating system when compared to relatively insecure Android devices. Not that the iPhone is immune from device-specific malware as the iPhone only Krampus campaign demonstrates. The Apple Watch, however, doesn’t run on iOS; it uses the iOS-derived WatchOS instead.
So, is WatchOS free from any security issues? Well, if you check the security vulnerability database at CVE Details, you will see plenty of problems that could specifically impact WatchOS. There are 473 vulnerabilities listed in total, ranging from the low severity to the critical. But don’t panic; if you sort the results by “number of exploits,” you’ll notice there have been precisely zero for any of them. And Apple regularly updates WatchOS as it does iOS and operates a bug bounty program to reward those security researchers who uncover vulnerabilities, with a top bounty of $1.5 million (£1.15 million) on offer. So you don’t need to worry about securing it, right?
The security issues you do need to be concerned about now you are the owner of a shiny new Apple Watch Series 5 are, frankly, much the same as you face with any other mobile device. The wearable is, in practical terms, an extension of your iPhone. This means that you need to be aware of how it interacts with your iPhone and the access it provides to the smartphone itself, the data upon it and the services it facilitates.
Apple Watch security tip number one: Set a long passcode
The default four-digit PIN, what Apple refers to as a “Simple Passcode,” is not secure enough. Especially as most people will likely use the same PIN for their Apple Watch as they do for their credit cards, debit cards, smartphone, SIM card, and anything else that requires a four-digit code. Password reuse is a terrible thing, and the same applies to PIN codes which are just pretty bad passwords after all.
To strengthen your Apple Watch PIN, go to the Watch app on your iPhone and click on “Passcode” then disable the “Simple Passcode” option. After confirming your existing PIN, you will be able to set a new 10-digit code. The longer the PIN the more secure, in theory. However, the usability factor kicks in if you are using a random 10-digit code that you can’t easily remember. It’s not recommended to use memorable dates either; a threat actor will likely be able to guess these from social media information.
That said, a six-digit PIN is far more secure than the default and just as easy to remember. Or how about keeping the four-digit PIN you know off by heart and repeating it, in reverse, to create an eight-digit code? So 1234 (please don’t use that) would become 12344321. If you enable the “Erase Data” option, then another security feature kicks in: self-destruct. OK, it’s not quite that extreme, but not far off. After six incorrect PIN code attempts, the Apple Watch will initiate a 60-second delay between further attempts. Get it wrong ten times and all data will be erased from the device.
Apple Watch security tip number two: Get smart with more locking options
Either on your Apple Watch or iPhone, it’s less fiddly for those of us with fat finger syndrome to use the iPhone, make sure that the “Wrist Detection” option is toggled on. This has the effect of automatically locking your Apple Watch when you take it off, necessitating entry of that now longer PIN before unlocking.
There’s also an option to “Unlock with iPhone,” which works in combination with the wrist detection to automatically unlock your Apple Watch without needing the PIN code. As long, that is, the iPhone is close enough to the watch, which you must be wearing. It’s another good usability option with no substantial negative impact on security for 99.9% of people 99.9% of the time. As I said before, good security must be easy to use or people find ways to get around it. Which usually means they disable it altogether.
Apple Watch security tip number three: Lost Mode and Activation Lock
Every iPhone owner is familiar, I’m guessing, with the Find My iPhone iCloud feature or app, or “Find My” for iOS 13 users. If not, then get acquainted as it’s an essential part of your iPhone security posture. And that of your Apple Watch.
As well as being useful in finding your watch if you can’t remember where you left it last, Find My has some additional security-related functionality up its virtual sleeve. Things like being able to remotely wipe your data from your Apple Watch if it is permanently lost or stolen and activating “Lost Mode.” The latter will display a short custom message and number to call if someone finds your Apple Watch. More importantly, it will also disable Apple Pay which ticks a significant security concern box for most people who have lost their wearable.
You should also check that the Activation Lock function is enabled in Find My, and if it can see your watch, then it is. What does this do? How does making your Apple Watch worthless to any thief sound to you? Unless that thief knows your Apple ID and password, Activation Lock prevents them or anyone else from being able to wipe your data from the device. The result, an unsaleable Apple Watch.
For more Apple security advice, read How To Secure Your iPhone: 12 Experts Reveal 26 Essential Security Tips.
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called ‘Threats to the Internet.’ In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at firstname.lastname@example.org if you have a story to reveal or research to share.